On Thursday, November 5, 2015 1:54 PM, Rob Crittenden <rcrit...@redhat.com> 
wrote:
> j...@use.startmail.com wrote:
>> Hello everyone,
>>
>> I initially followed freeipa NFS documentation for setting up external
>> stand alone NFS server
>>
>> ipa host-add mickey.corp.example.org
>> ipa service-add nfs/mickey.corp.example.org
>> ipa-getkeytab -s razoul.corp.example.org -p nfs/mickey.corp.example.org
>> -k /tmp/nfs.keytab
>>
>> uploaded keytab to NFS server and all appeared to work just fine:
>>
>> mickey> export KRB5_CONFIG=/etc/nfs/krb5.conf
> 
> Why are you using a custom krb5.conf?
NFS server is a network appliance. It automatically creates /etc/nfs/krb5.conf 
based on nfs keytab provided.

> 
>> mickey> kinit admin
>> Password for ad...@corp.example.org: XXXXXXX
>> mickey> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@corp.example.org
>>
>> Valid starting       Expires              Service principal
>> 05/16/2015 18:17:00  05/17/2015 18:16:50 
>> krbtgt/corp.example....@corp.example.org
>> mickey> kinit -k -t /etc/nfs/krb5.keytab
>> nfs/mickey.corp.example....@corp.example.org
>> mickey> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: nfs/mickey.corp.example....@corp.example.org
>>
>> Valid starting       Expires              Service principal
>> 05/16/2015 23:48:14  05/17/2015 23:48:13 
>> krbtgt/corp.example....@corp.example.org
>> mickey>
>>
>> However, I learned hard way (NFS stopped working) that ipa-getkeytab
>> issues ticket with a default timeout of 3 months.
> 
> keytabs don't time out. What made you think it has a 3-month validity
> period?
Well, network appliance tech support told me that "authentication key being 
expired".
Are you saying that keytab should never need to be updated on NFS server?

>>
>> I repeated ipa-getkeytab and got:
>>
>> mickey> kinit -k -t /etc/nfs/krb5.keytab
>> kinit: Keytab contains no suitable keys for
>> host/mickey.corp.example....@corp.example.org while getting initial
>> credentials
>> mickey> klist -k -t /etc/nfs/krb5.keytab
>> Keytab name: FILE:/etc/nfs/krb5.keytab
>> KVNO Timestamp           Principal
>> ---- -------------------
>> ------------------------------------------------------
>>   5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org
>>   5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org
>>   5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org
>>   5 11/03/2015 10:50:10 nfs/mickey.corp.example....@corp.example.org
> 
> You used the right command earlier:
> 
> # kinit -k -t /etc/nfs/krb5.keytab
> nfs/mickey.corp.example....@corp.example.org
Opps, found the problem, at least on kinit part, principal should be specified 
on command line:
#kinit -k -t /etc/nfs/krb5.keytab \
nfs/mickey.corp.example....@corp.example.org
#

> 
>> When client tries to mount:
>>
>> # mount -vvv -o sec=krb5 mickey:/volume1/homes /mnt
>> mount.nfs: timeout set for Thu Nov  5 11:41:39 2015
>> mount.nfs: trying text-based options
>> 'sec=krb5,vers=4,addr=192.168.26.2,clientaddr=192.168.26.31'
>> mount.nfs: mount(2): Invalid argument
>> mount.nfs: an incorrect mount option was specified
>>
>> Not much information available...
>>
>> Any NFS experts out here?
> 
> The NFS server may have more info.

That is a network appliance, I'll have to try to manually add debug options to 
NFS components.

But client is an IPA domain member, kerberos logins are working just fine - is 
it sufficient to conclude that host is in good shape?

Thanks you.
Josh.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to