Hello all, I have a server running Proxmox, on which I have a virtual machine running FreeIPA. I did have this set up running Kerberized NFS, but a while ago, I rebooted the Proxmox host and now I always get "Permission Denied" when trying to mount the NFS server.
To give more detail, the Proxmox server (Debian Based) is running proxmox 5.3-8 (latest version) and is joined to the FreeIPA domain: # realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %[email protected] login-policy: allow-realm-logins The NFS server is configured as follows: # for i in /etc/default/nfs-* /etc/exports; do echo "---- $i"; grep "^[^#]" $i; done ---- /etc/default/nfs-common NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes ---- /etc/default/nfs-kernel-server RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -d all" NEED_SVCGSSD="yes" RPCSVCGSSDOPTS=" -v -v -v" RPCNFSDOPTS=" -d 3" ---- /etc/exports /tank 192.0.0.0/24(rw,sec=sys:krb5:krb5i:krb5p,no_subtree_check,no_root_squash) The server has keys, too (I have tried refreshing these with `ipa-getkeytab -r -s ipaserver -p nfs/gusteau.darac.org.uk -k /etc/krb5.keytab`) # klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 9 host/[email protected] (aes256-cts-hmac-sha1-96) 9 host/[email protected] (aes128-cts-hmac-sha1-96) 9 nfs/[email protected] (aes256-cts-hmac-sha1-96) 9 nfs/[email protected] (aes128-cts-hmac-sha1-96) The client is, for example, my laptop running Debian. It, too, is joined to the domain: # realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %[email protected] login-policy: allow-realm-logins It, too, has these keys: # klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/[email protected] (aes256-cts-hmac-sha1-96) 4 host/[email protected] (aes128-cts-hmac-sha1-96) 2 nfs/[email protected] (aes256-cts-hmac-sha1-96) 2 nfs/[email protected] (aes128-cts-hmac-sha1-96) And the user has a valid ticket: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/02/19 19:31:44 04/02/19 19:31:38 krbtgt/[email protected] However, when I try to mount the server: # mount -v -t nfs4 -o sec=krb5 gusteau.darac.org.uk:/tank mnt mount.nfs4: timeout set for Sun Feb 3 19:34:49 2019 mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.0.2.100,clientaddr=192.0.2.187' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting gusteau.darac.org.uk:/tank My problem is that I've run out of places to look for errors. I've tried enabling NFS debugging, but I don't see anything obvious there. I've also looking in /var/log/krb5kdc.log on the FreeIPA server, but I don't see any log messages there when the mount is attempted. Apologies if this isn't the right place to ask about this, but it's one of these questions of "Is it FreeIPA at fault? Is it Kerberos? Is it my setup?" and I've got to start somewhere. Many thanks.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
