Ray via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:

> I run FreeIPA across a few sites with five replicted servers. The IPA
> version is the current CentOS one: 4.5.0-21
> At two of those sites a kerberized NFS service is offered to the
> client machines. All clients and servers involved in the are CentOS
> 7.4 boxes.

Unfortunately a lot of this code changes in 7.5, but let me check if
anything obvious is wrong.

> For both NFS servers I configured NFS service pricipals and when I
> click my way in the GUI Identity -> Services -> nfs.server1
> resp. nfs.server2 I get to see "Kerberos Key Present, Service
> Provisioned" for both. So far things seem ok.
> However, mounting works only from server1, for clients at both sites
> (site1 to site2 mounting and vice versa is allowed). Mounting anything
> from server2 keeps failing:
> Site 2: local mount attempt:
> r...@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p 
> server.at.site2:/local/test /mnt
> mount.nfs4: timeout set for Sat Dec  9 17:03:02 2017
> mount.nfs4: trying text-based options 
> 'sec=krb5p,vers=4.1,addr=xx.xx.xx.xx,clientaddr=yy.yy.yy.yy'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting 
> server.at.site2:/local/test
> r...@client.at.site2:~#

How long does this failure take?  Is it immediate, or does it take more
than a minute or so?

> Site 2: remote mount attempt:
> r...@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p 
> server.at.site1:/local/test /mnt
> mount.nfs4: timeout set for Sat Dec  9 17:03:10 2017
> mount.nfs4: trying text-based options 
> 'sec=krb5p,vers=4.1,addr=zz.zz.zz.zz,clientaddr=yy.yy.yy.yy'
> r...@client.at.site2:~#

Can you check rpc-gssd logs on the machine you're mounting from?

> At site2's server I disabled:
>    - the firewall
>    - selinux

If you turn on selinux, do things change?

> I did restart nfs with systemctl restart nfs-server, but neither
> there's not much happening in tail -f /var/log/messages not journalctl
> -f show anything new on failing mount attemppts as shown above.

Can you post gssproxy logs during the failed mount attempt from site2?

> The fact that I can mount anything at all on the client indicates that
> the client is ok. In desparation, I reinstalled the NFS server at
> site2 last weekend from scratch. But now I run into the same issue as
> before.  Might there be something wrong with the service principals
> after all?

`klist -ek` the keytab on both sites.  Also check kvno for all
principals involved.


Attachment: signature.asc
Description: PGP signature

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to