On 02/21/2017 10:57 AM, Kees Bakker wrote:
Hey,
Maybe one of the NFS users on this list could give me a hint what
could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.
I've set up an NFS server and I can mount the NFS directory on my client. So,
I'm
guessing that setting up Kerberos principal was done correctly.
However, only root can actually access the mounted contents. Any other user
only sees question marks as shown below.
The mount command is simple.
$ sudo mount -v -t nfs srv1.example.com:/home /nfshome
mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
mount.nfs: trying text-based options
'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'
On the server side /etc/exports looks like this.
/home *(rw,sync,sec=krb5i,no_subtree_check)
$ sudo mount |grep nfs
srv1.example.com:/home on /nfshome type nfs4
(rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)
$ sudo ls -ld /nfshome
drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
$ sudo ls -l /nfshome
total 0
drwxr-xr-x 1 keesb keesb 116 jan 27 12:56 keesb
$ ls -l /nfshome
ls: cannot access '/nfshome': Permission denied
$ ls -l / | grep nfshome
ls: cannot access '/nfshome': Permission denied
d????????? ? ? ? ? ? nfshome
sec=krb* means that the user accessing the mount has to authenticate
with a kerberos ticket, and has to be the user or in the group granted
access to the share. from the looks of things, the user did not
authenticate, and that is why the permissions are question marks. check
the kerberos tickets that the user has (klist output). Otherwise, the
ownership might be user and group that the client machine does not
recognize (think posix user/group that is not in sync between the NFS
server and the client)
brendan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
