1

I need to deploy NFSv4 with Kerberos authentication in an existing AD environment, however, it must be done without making any changes on the KDC...

So I figured, I would need to reuse host credentials for authenticating the servers. However, it does not seem to be working and I just cannot figure out why.

I'm working with CentOS 6. We've been using Kerberos+LDAP with a number of other services (SSH via PAM, OpenAFS, ...).

For the sake of simplicity, the same machine plays the role of both the client and the server for now.

So my configuration looks like:

/etc/sysconfig/nfs:

SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"

The important part here is the "-n" option passed to rpc.svcgssd (from the manpage: "Use the system default credentials (host/FQDN@REALM) rather than the default nfs/FQDN@REALM.")

In /etc/idmapd.conf I got:

[General]
Verbosity = 3
Domain = mycompany.com


[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

Method = nsswitch

In /etc/krb5.conf I got:

[libdefaults]
 default_realm = MYCOMPANY.COM
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 allow_weak_crypto = true
 chpw_prompt = true

[realms]
 MYCOMPANY.COM = {
  default_domain = mycompany.com
  kpasswd_server = dc.mycompany.com
  admin_server = dc.mycompany.com
  kdc = dc.mycompany.com

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }
[domain_realm]
 .mycompany.com = MYCOMPANY.COM
[appdefaults]
   pkinit_pool =  DIR:/etc/pki/tls/certs/
   pkinit_anchors = DIR:/etc/pki/tls/certs/
 pam = {
   external = true
   krb4_convert =  false 
   krb4_convert_524 =  false 
   krb4_use_as_req =  false 
   ticket_lifetime = 25h
   use_shmem = sshd
 }

In /etc/exports:

/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)

So now if I try mounting this NFS share by running

mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt

as root, I got:

mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "nfs-srv-1:/"
mount: node:  "/mnt"
mount: types: "nfs4"
mount: opts:  "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep  3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/

and in the logs:

Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for NFS-SRV-1$@MYCOMPANY.COM while getting keytab entry for 'NFS-SRV-1$@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'root/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server nfs@nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for NFS-SRV-1$@MYCOMPANY.COM while getting keytab entry for 'NFS-SRV-1$@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'root/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server nfs@nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b

Contents of ticket cache (for a later execution, ignore timestamps pls...):

Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/nfs-srv-1.mycompany.com@MYCOMPANY.COM

Valid starting     Expires            Service principal
09/04/15 10:34:34  09/05/15 11:34:34  krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
    renew until 09/09/15 10:34:34

It seems that it finds my host credentials but fails to initialize the Kerberos 5 context. I have no idea what to do with this, could you please help me out?

Let me know if you need any more details.

Thanks a lot in advance.

dgyuri92
  • 71
  • 1
  • 4
  • 1
    I was in a similar situation: _Failed to create machine krb5 context with any credentials cache..._ I missed SPN for non-FQDN. It is necessary to have both of them: `nfs/machine.domain.xx` and `nfs/machine` in the `/etc/krb5.keytab`. (But I'm not sure, because in Your case I see, that it tries to create the KRB5 kontext for FQDN. I've Samba 4 and I've assotiated both of SPNs to user `MACHINE$` and exported all three keys to the key-tab file.) – Theodor Keinstein Nov 28 '15 at 22:22

0 Answers0