1

I am trying to mount a krb5p NFS export. For this I have followed these instructions.

Line in /etc/exports:

/home/users     192.168.1.0/24(rw,sec=krb5p,no_subtree_check,nohide,async,anonuid=65534,anongid=65534)

When attempting the mount on the client I get:

root@client:/home# mount -t nfs4 -o sec=krb5p server:/home/users /home/users/ -vvv
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "server:/home/users"

mount: node:  "/home/users/"
mount: types: "nfs4"
mount: opts:  "sec=krb5p"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "server:/home/users"
mount: external mount: argv[2] = "/home/users/"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5p"
mount.nfs4: timeout set for Sun May 12 14:46:22 2013
mount.nfs4: trying text-based options 'sec=krb5p,addr=192.168.1.2,clientaddr=192.168.1.82'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server:/home/users

On the server however I could find no relevant log entry or any information at all that scribes the reason on why the access was denied.

When changing the security from krb5p to sys the mount works fine.

kinit etc for kerberos works fine though.

How can I find out the reason why the access is being rejected? Or do you perhaps know what I am doing wrong here?

d_inevitable
  • 209
  • 1
  • 6
  • 19
  • try to run rpc.nfsd from command line with -d option – kofemann May 12 '13 at 17:56
  • @tigran after struggling with this all day I have finally found it just now. `-s` on `rpc.nfsd` did the trick. I've got some seemingly more meaningful messages now, although I still don't understand them. – d_inevitable May 12 '13 at 18:02

1 Answers1

1

I was able to get some more meaningful messages on the server, by editing /etc/default/nfs-kernel-server and adding the -s option rpc.nfsd like this:

# Options for rpc.nfsd.
RPCNFSDOPTS="-s"

When trying to do the mount, that gave me the output:

May 12 19:59:48 server krb5kdc[2704]: AS_REQ (4 etypes {18 17 16 23}) 192.168.1.62: NEEDED_PREAUTH: nfs/client.localdomain@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
May 12 19:59:48 server krb5kdc[2704]: preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
May 12 19:59:48 server krb5kdc[2704]: AS_REQ (4 etypes {18 17 16 23}) 192.168.1.62: PREAUTH_FAILED: nfs/client.localdomain@REALM for krbtgt/REALM@REALM, Decrypt integrity check failed

No sure if that really helps me, but its one step ahead.

d_inevitable
  • 209
  • 1
  • 6
  • 19
  • Made a new thread to look into that preauthentication problem in detail: http://serverfault.com/questions/507122/kerberos-pre-authentication-failed-on-nfs-mount – d_inevitable May 12 '13 at 19:25