I don't know if this is your issue, but I noticed this:

Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 
context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine 
krb5 context with credentials cache

Who are you "kinit"ed as? Is your idmapper working on both client and server?

Bryce

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of re...@mccleary.me.uk
Sent: Sunday, February 16, 2014 4:49 AM
To: freeipa-users@redhat.com
Cc: re...@mccleary.me.uk
Subject: [Freeipa-users] Kerberized NFS Mount Issues

Hi,

I'm really stuck trying to get kerberized NFS configured via IPA and would be 
very grateful for any comments or advice based on the info I've provided below. 
 I'm sure this is a very popular kerberized service configured under IPA and I 
must be missing something obvious.

Thanks, Paul

### Background ###
I've configured IPA (3.0.0-37.el6) on CentOS 6.5 (2.6.32-431.3.1.el6.x86_64) 
and have an NFS server and an NFS client (both also CentOS 6.5) configured and 
working as IPA clients, e.g. can login as an IPA LDAP user.

I have tested plain NFSv4 and that works fine:
Code:
________________________________
Testing Non-Kerberized NFS v4:
#####
#####
Client:
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=sys nfs-server.example.local:/ 
/mnt
mount.nfs4: timeout set for Sat Feb 15 23:58:23 2014
mount.nfs4: trying text-based options 
'sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11'
nfs-server.example.local:/ on /mnt type nfs4 (rw,sec=sys)
[root@nfs-client ~]# df -h /mnt
Filesystem            Size  Used Avail Use% Mounted on
nfs-server.example.local:/  50G  14G  33G  30% /mnt
[root@nfs-client ~]# mount|grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
nfs-server.example.local:/ on /mnt type nfs4 
(rw,sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11)

#####
#####
Server:
[root@nfs-server ~]# cat /etc/exports
/pmtest    10.50.0.0/24(rw,sec=sys,fsid=0)

[root@nfs-server ~]# exportfs -v
/pmtest        
10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=sys,rw,root_squash,no_all_squash)
________________________________
When I try to mount using kerberos it fails. I've searched for a number of days 
and tried many things, but am still stuck. The key error I think is in the NFS 
server syslog:
Code:
________________________________
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in request
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in request
________________________________
I don't understand how I have the wrong principal in the krb5.keytab. The 
various guides I've seen all have a similar keytab config as me, but I really 
hoped my first attempt using kerberos was going to be very easy as IPA would do 
all the hard stuff :-)

###########################################################
Output and Config Info From Failed Kerberized NFS mount:

Both client and server have secure NFS set to yes and name resolution is fine:
Code:
________________________________
[root@nfs-client ~]# nslookup nfs-server
Server:        10.50.0.20
Address:        10.50.0.20#53

Name:  nfs-server.example.local
Address: 10.50.0.18

[root@nfs-client ~]# nslookup nfs-client
Server:        10.50.0.20
Address:        10.50.0.20#53

Name:  nfs-client.example.local
Address: 10.50.0.11


[root@nfs-server ~]# nslookup nfs-server
Server:        10.50.0.20
Address:        10.50.0.20#53

Name:  nfs-server.example.local
Address: 10.50.0.18

[root@nfs-server ~]# nslookup nfs-client
Server:        10.50.0.20
Address:        10.50.0.20#53

Name:  nfs-client.example.local
Address: 10.50.0.11
________________________________
Code:
________________________________
#####
#####
Client:
[root@nfs-client ~]# service iptables status;getenforce
iptables: Firewall is not running.
Disabled

Attempted mount:
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=krb5 nfs-server.example.local:/ 
/mnt
mount.nfs4: timeout set for Sat Feb 15 23:45:23 2014
mount.nfs4: trying text-based options 
'sec=krb5,addr=10.50.0.18,clientaddr=10.50.0.11'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-server.example.local:/

/var/log/messages:
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: process_krb5_upcall: service is 
'<null>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 
'nfs-server.example.local' is 'nfs-server.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 
'nfs-client.example.local' is 'nfs-client.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for 
NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL<mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL>
 while getting keytab entry for 
'NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL<mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for 
root/nfs-client.example.local@EXAMPLE.LOCAL<mailto:root/nfs-client.example.local@EXAMPLE.LOCAL>
 while getting keytab entry for 
'root/nfs-client.example.local@EXAMPLE.LOCAL<mailto:root/nfs-client.example.local@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab entry for 
'nfs/nfs-client.example.local@EXAMPLE.LOCAL<mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Successfully obtained machine 
credentials for principal 
'nfs/nfs-client.example.local@EXAMPLE.LOCAL<mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL>'
 stored in ccache 
'FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>'
 are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
 as credentials cache for machine creds
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment variable to select 
krb5 ccache 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using fsuid 0 
(save_uid 0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for server 
nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set to 2049
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with server 
nfs@nfs-server.example.local<mailto:nfs@nfs-server.example.local>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 
context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine 
krb5 context with credentials cache 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Machine cache is 
prematurely expired or corrupted trying to recreate cache for server 
nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 
'nfs-server.example.local' is 'nfs-server.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 
'nfs-client.example.local' is 'nfs-client.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for 
NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL<mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL>
 while getting keytab entry for 
'NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL<mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for 
root/nfs-client.example.local@EXAMPLE.LOCAL<mailto:root/nfs-client.example.local@EXAMPLE.LOCAL>
 while getting keytab entry for 
'root/nfs-client.example.local@EXAMPLE.LOCAL<mailto:root/nfs-client.example.local@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab entry for 
'nfs/nfs-client.example.local@EXAMPLE.LOCAL<mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>'
 are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>'
 are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
 as credentials cache for machine creds
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment variable to select 
krb5 ccache 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using fsuid 0 
(save_uid 0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for server 
nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set to 2049
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with server 
nfs@nfs-server.example.local<mailto:nfs@nfs-server.example.local>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 
context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine 
krb5 context with credentials cache 
FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL<FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL>
 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine 
krb5 context with any credentials cache for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: doing error downcall
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 
0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: destroying client 
/var/lib/nfs/rpc_pipefs/nfs/clnt0

/etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  allow_weak_crypto = true
  permitted_enctypes = des3-cbc-sha1

[realms]
  EXAMPLE.LOCAL = {
  kdc = ipa-server.example.local:88
  master_kdc = ipa-server.example.local:88
  admin_server = ipa-server.example.local:749
  default_domain = example.local
  pkinit_anchors = FILE:/etc/ipa/ca.crt<FILE:///\\etc\ipa\ca.crt>
  }

[domain_realm]
  .example.local = EXAMPLE.LOCAL
  example.local = EXAMPLE.LOCAL

/etc/krb5.keytab entries:
[root@nfs-client ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab<FILE:///\\etc\krb5.keytab>
KVNO Timestamp        Principal
---- ----------------- --------------------------------------------------------
  4 02/15/14 23:27:51 
host/nfs-client.example.local@EXAMPLE.LOCAL<mailto:host/nfs-client.example.local@EXAMPLE.LOCAL>
 (des3-cbc-sha1)
  3 02/15/14 23:27:58 
nfs/nfs-client.example.local@EXAMPLE.LOCAL<mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL>
 (des3-cbc-sha1)


#####
#####
Server:
[root@nfs-server ~]# cat /etc/exports
/pmtest    10.50.0.0/24(rw,sec=krb5,fsid=0)

[root@nfs-server ~]# exportfs -v
/pmtest        
10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=krb5,rw,root_squash,no_all_squash)

[root@nfs-server ~]# service iptables status;getenforce
iptables: Firewall is not running.
Disabled


/var/log/messages:
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in request
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in request


/etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  allow_weak_crypto = true
  permitted_enctypes = des3-cbc-sha1

[realms]
  EXAMPLE.LOCAL = {
  kdc = ipa-server.example.local:88
  master_kdc = ipa-server.example.local:88
  admin_server = ipa-server.example.local:749
  default_domain = example.local
  pkinit_anchors = FILE:/etc/ipa/ca.crt<FILE:///\\etc\ipa\ca.crt>
  }

[domain_realm]
  .example.local = EXAMPLE.LOCAL
  example.local = EXAMPLE.LOCAL


/etc/krb5.keytab entries:
[root@nfs-server ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab<FILE:///\\etc\krb5.keytab>
KVNO Timestamp        Principal
---- ----------------- --------------------------------------------------------
  2 02/15/14 23:09:43 
host/nfs-server.example.local@EXAMPLE.LOCAL<mailto:host/nfs-server.example.local@EXAMPLE.LOCAL>
 (des3-cbc-sha1)
  3 02/15/14 23:09:51 
nfs/nfs-server.example.local@EXAMPLE.LOCAL<mailto:nfs/nfs-server.example.local@EXAMPLE.LOCAL>
 (des3-cbc-sha1)




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to