j...@use.startmail.com wrote: > Hello everyone, > > I initially followed freeipa NFS documentation for setting up external stand > alone NFS server > > ipa host-add mickey.corp.example.org > ipa service-add nfs/mickey.corp.example.org > ipa-getkeytab -s razoul.corp.example.org -p nfs/mickey.corp.example.org -k > /tmp/nfs.keytab > > uploaded keytab to NFS server and all appeared to work just fine: > > mickey> export KRB5_CONFIG=/etc/nfs/krb5.conf
Why are you using a custom krb5.conf? > mickey> kinit admin > Password for ad...@corp.example.org: XXXXXXX > mickey> klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: ad...@corp.example.org > > Valid starting Expires Service principal > 05/16/2015 18:17:00 05/17/2015 18:16:50 > krbtgt/corp.example....@corp.example.org > mickey> kinit -k -t /etc/nfs/krb5.keytab > nfs/mickey.corp.example....@corp.example.org > mickey> klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: nfs/mickey.corp.example....@corp.example.org > > Valid starting Expires Service principal > 05/16/2015 23:48:14 05/17/2015 23:48:13 > krbtgt/corp.example....@corp.example.org > mickey> > > However, I learned hard way (NFS stopped working) that ipa-getkeytab issues > ticket with a default timeout of 3 months. keytabs don't time out. What made you think it has a 3-month validity period? > > I repeated ipa-getkeytab and got: > > mickey> kinit -k -t /etc/nfs/krb5.keytab > kinit: Keytab contains no suitable keys for > host/mickey.corp.example....@corp.example.org while getting initial > credentials > mickey> klist -k -t /etc/nfs/krb5.keytab > Keytab name: FILE:/etc/nfs/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org > 5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org > 5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org > 5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org You used the right command earlier: # kinit -k -t /etc/nfs/krb5.keytab nfs/mickey.corp.example....@corp.example.org > When client tries to mount: > > # mount -vvv -o sec=krb5 mickey:/volume1/homes /mnt > mount.nfs: timeout set for Thu Nov 5 11:41:39 2015 > mount.nfs: trying text-based options > 'sec=krb5,vers=4,addr=192.168.26.2,clientaddr=192.168.26.31' > mount.nfs: mount(2): Invalid argument > mount.nfs: an incorrect mount option was specified > > Not much information available... > > Any NFS experts out here? The NFS server may have more info. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project