Ray via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: > I run FreeIPA across a few sites with five replicted servers. The IPA > version is the current CentOS one: 4.5.0-21 > > At two of those sites a kerberized NFS service is offered to the > client machines. All clients and servers involved in the are CentOS > 7.4 boxes.
Unfortunately a lot of this code changes in 7.5, but let me check if anything obvious is wrong. > For both NFS servers I configured NFS service pricipals and when I > click my way in the GUI Identity -> Services -> nfs.server1 > resp. nfs.server2 I get to see "Kerberos Key Present, Service > Provisioned" for both. So far things seem ok. > > However, mounting works only from server1, for clients at both sites > (site1 to site2 mounting and vice versa is allowed). Mounting anything > from server2 keeps failing: > > Site 2: local mount attempt: > r...@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p > server.at.site2:/local/test /mnt > mount.nfs4: timeout set for Sat Dec 9 17:03:02 2017 > mount.nfs4: trying text-based options > 'sec=krb5p,vers=4.1,addr=xx.xx.xx.xx,clientaddr=yy.yy.yy.yy' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting > server.at.site2:/local/test > r...@client.at.site2:~# How long does this failure take? Is it immediate, or does it take more than a minute or so? > Site 2: remote mount attempt: > r...@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p > server.at.site1:/local/test /mnt > mount.nfs4: timeout set for Sat Dec 9 17:03:10 2017 > mount.nfs4: trying text-based options > 'sec=krb5p,vers=4.1,addr=zz.zz.zz.zz,clientaddr=yy.yy.yy.yy' > r...@client.at.site2:~# Can you check rpc-gssd logs on the machine you're mounting from? > At site2's server I disabled: > - the firewall > - selinux If you turn on selinux, do things change? > I did restart nfs with systemctl restart nfs-server, but neither > there's not much happening in tail -f /var/log/messages not journalctl > -f show anything new on failing mount attemppts as shown above. Can you post gssproxy logs during the failed mount attempt from site2? > The fact that I can mount anything at all on the client indicates that > the client is ok. In desparation, I reinstalled the NFS server at > site2 last weekend from scratch. But now I run into the same issue as > before. Might there be something wrong with the service principals > after all? `klist -ek` the keytab on both sites. Also check kvno for all principals involved. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
