Thanks for the reply matt, I managed to resolve that issue by recreating
they keytab and principles on the AD, but am hitting another issue now with
the mount command.
When I run mount I get the following:
[root@centos72 /]# mount -o sec=krb5 optimusprime:/ /mnt -v
mount.nfs: timeout set for Thu Feb 18 12:45:46 2016
mount.nfs: trying text-based options
'sec=krb5,vers=4,addr=optimusprime,clientaddr=centos72'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting optimusprime:/
And in /var/log/messages I get the following:
Feb 18 12:43:49 centos72 rpc.gssd[4560]: WARNING: handle_gssd_upcall:
failed reading request
Feb 18 12:43:49 centos72 gssproxy: gssproxy[677]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
I googled a bit and found:
No credential cache found
*Cause:*The user's credential cache is incorrect or does not exist.
*Solution:*The user should run kinit before trying to start the service.
But my kinit is successful and my TGT ticket is created in the /tmp folder
so I'm not sure why I'm not fining the gss cache. I assume it has something
to do with my setup of ganesha.
What services should I be running when attempting to do this?
I've started rpc.gssd:
[root@centos72 /]# systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor
preset: disabled)
Active: active (running) since Thu 2016-02-18 12:41:39 CET; 2s ago
Process: 21148 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited,
status=0/SUCCESS)
Main PID: 21149 (rpc.gssd)
CGroup: /system.slice/rpc-gssd.service
└─21149 /usr/sbin/rpc.gssd
But service rpc-svcgssd is not started.
Are there other things I should start? In my ganesha build configuration I
set:
USE_GSS = ON
Is there anything else specific I should switch on?
Any ideas why I'm hitting this issue? Could it be something related to
ganesha or something to do with my AD kerberos setup.
Thanks,
Adi
On Wed, Feb 17, 2016 at 9:47 PM, Matt Benjamin <mbenja...@redhat.com> wrote:
> Hi Adi,
>
> I don't know what's happening, to be honest, and don't have experience
> using an AD server as a KDC (but it should work).
>
> However, I did google and find that the error code you're getting
> (-1765328378) is KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, which
> perhaps may help you.
>
> Matt
>
> ----- Original Message -----
> > From: "Adi Kant" <adilicious...@gmail.com>
> > To: nfs-ganesha-devel@lists.sourceforge.net
> > Sent: Wednesday, February 17, 2016 10:18:38 AM
> > Subject: [Nfs-ganesha-devel] Mounting between linux server and client
> with krb5 enabled
> >
> > Hi all, I'm trying to setup mounting with kerberos authentication. I
> tested
> > the mount option without kerberos using sec=sys and it works fine. But
> when
> > I use sec=krb5 it does not work.
> >
> > I've added both my server and client machines to my Windows 2012 r2
> active
> > directory.
> >
> > Then I've created keytab files for both the server and client and added
> the
> > nfs principle to them:
> >
> > CLIENT:
> > [root@centos72 /]# net ads keytab list | grep -i nfs
> > Vno Type Principal
> > 10 DES cbc mode with CRC-32 nfs/centos72.car.local@CAR.LOCAL
> > 10 DES cbc mode with RSA-MD5 nfs/centos72.car.local@CAR.LOCAL
> > 10 AES-128 CTS mode with 96-bit SHA-1 HMAC
> nfs/centos72.car.local@CAR.LOCAL
> > 10 AES-256 CTS mode with 96-bit SHA-1 HMAC
> nfs/centos72.car.local@CAR.LOCAL
> > 10 ArcFour with HMAC/md5 nfs/centos72.car.local@CAR.LOCAL
> > 10 DES cbc mode with CRC-32 nfs/CENTOS72@CAR.LOCAL
> > 10 DES cbc mode with RSA-MD5 nfs/CENTOS72@CAR.LOCAL
> > 10 AES-128 CTS mode with 96-bit SHA-1 HMAC nfs/CENTOS72@CAR.LOCAL
> > 10 AES-256 CTS mode with 96-bit SHA-1 HMAC nfs/CENTOS72@CAR.LOCAL
> > 10 ArcFour with HMAC/md5 nfs/CENTOS72@CAR.LOCAL
> >
> > SERVER:
> > [root@optimusprime bin]# net ads keytab list | grep -i nfs
> > Vno Type Principal
> > 11 DES cbc mode with CRC-32 nfs/optimusprime.car.local@CAR.LOCAL
> > 11 DES cbc mode with RSA-MD5 nfs/optimusprime.car.local@CAR.LOCAL
> > 11 AES-128 CTS mode with 96-bit SHA-1 HMAC
> > nfs/optimusprime.car.local@CAR.LOCAL
> > 11 AES-256 CTS mode with 96-bit SHA-1 HMAC
> > nfs/optimusprime.car.local@CAR.LOCAL
> > 11 ArcFour with HMAC/md5 nfs/optimusprime.car.local@CAR.LOCAL
> > 11 DES cbc mode with CRC-32 nfs/OPTIMUSPRIME@CAR.LOCAL
> > 11 DES cbc mode with RSA-MD5 nfs/OPTIMUSPRIME@CAR.LOCAL
> > 11 AES-128 CTS mode with 96-bit SHA-1 HMAC nfs/OPTIMUSPRIME@CAR.LOCAL
> > 11 AES-256 CTS mode with 96-bit SHA-1 HMAC nfs/OPTIMUSPRIME@CAR.LOCAL
> > 11 ArcFour with HMAC/md5 nfs/OPTIMUSPRIME@CAR.LOCAL
> >
> > Also on the windows 2012 r2 machine I created the same principles with
> setspn
> > command:
> >
> > ACTIVE DIRECTORY:
> > C:\Users\Administrator>setspn -a nfs/centos72.car.local centos72 Checking
> > domain DC=car,DC=local CN=centos72,CN=Computers,DC=car,DC=local
> > nfs/centos72.car.local nfs/centos72 HOST/centos72.car.local HOST/CENTOS72
> > Duplicate SPN found, aborting operation! C:\Users\Administrator>setspn -a
> > nfs/optimusprime.car.local optimusprime Checking domain DC=car,DC=local
> > CN=optimusprime,CN=Computers,DC=car,DC=local nfs/optimusprime.car.local
> > nfs/optimusprime HOST/optimusprime.car.local HOST/OPTIMUSPRIME Duplicate
> SPN
> > found, aborting operation!
> >
> >
> > So my first issue is that when I start the server in the logs I see the
> > following:
> >
> > :WARN :gssd_refresh_krb5_machine_credential failed (-1765328378:0)
> >
> > As I understand it this function checks the credentials in the keytab
> file
> > for the hostname and the nfs principle. But I have both in my keytab
> file so
> > I'm not sure why this is occurring.
> >
> > The second issue is that when I execute:
> >
> > [root@centos72 /]# mount -t nfs4 -o sec=krb5 SERVERIP:/ /mnt -v
> > mount.nfs4: timeout set for Wed Feb 17 15:33:16 2016
> > mount.nfs4: trying text-based options 'sec=krb5,addr= SERVERIP
> > ,clientaddr=CLINETIP'
> > mount.nfs4: mount(2): Permission denied
> > mount.nfs4: access denied by server while mounting SERVERIP :/
> >
> > I'm assuming that the cause of this is because the
> > refresh_krb5_machine_credential failed.
> >
> > Does anybody have any ideas why this is happening?
> >
> > Also bellow is my config file not sure if I'm missing something here:
> >
> > ###################################################
> > #
> > # EXPORT
> > #
> > # To function, all that is required is an EXPORT
> > #
> > # Define the absolute minimal export
> > #
> > ###################################################
> >
> > EXPORT
> > {
> > # Export Id (mandatory, each EXPORT must have a unique Export_Id)
> > Export_Id = 77;
> >
> > # Exported path (mandatory)
> > Path = /tmp;
> >
> > # Pseudo Path (required for NFS v4)
> > Pseudo = /krb;
> >
> > FSAL
> > {
> > Name = VFSAL;
> > }
> >
> > # Additional options
> > Access_type = RW; # Access permissions
> > Squash = No_root_squash; # To enable/disable root squashing
> > Disable_ACL = TRUE; # To enable/disable ACL
> > #Protocols = 3,4 ; # NFS protocols supported
> > Protocols = 4;
> > Transports = "UDP,TCP" ; # Transport protocols supported
> > SecType = "krb5"; # Security flavors supported
> > }
> >
> > Thanks!
> >
> >
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> > _______________________________________________
> > Nfs-ganesha-devel mailing list
> > Nfs-ganesha-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
> >
>
> --
> --
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel. 734-707-0660
> fax. 734-769-8938
> cel. 734-216-5309
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
