I need to deploy NFSv4 with Kerberos authentication in an existing AD environment, however, it must be done without making any changes on the KDC...
So I figured, I would need to reuse host credentials for authenticating the servers. However, it does not seem to be working and I just cannot figure out why.
I'm working with CentOS 6. We've been using Kerberos+LDAP with a number of other services (SSH via PAM, OpenAFS, ...).
For the sake of simplicity, the same machine plays the role of both the client and the server for now.
So my configuration looks like:
/etc/sysconfig/nfs:
SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"
The important part here is the "-n" option passed to rpc.svcgssd (from the manpage: "Use the system default credentials (host/FQDN@REALM) rather than the default nfs/FQDN@REALM.")
In /etc/idmapd.conf I got:
[General]
Verbosity = 3
Domain = mycompany.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
In /etc/krb5.conf I got:
[libdefaults]
default_realm = MYCOMPANY.COM
ticket_lifetime = 25h
renew_lifetime = 120h
forwardable = true
proxiable = true
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allow_weak_crypto = true
chpw_prompt = true
[realms]
MYCOMPANY.COM = {
default_domain = mycompany.com
kpasswd_server = dc.mycompany.com
admin_server = dc.mycompany.com
kdc = dc.mycompany.com
v4_name_convert = {
host = {
rcmd = host
}
}
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
[appdefaults]
pkinit_pool = DIR:/etc/pki/tls/certs/
pkinit_anchors = DIR:/etc/pki/tls/certs/
pam = {
external = true
krb4_convert = false
krb4_convert_524 = false
krb4_use_as_req = false
ticket_lifetime = 25h
use_shmem = sshd
}
In /etc/exports:
/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)
So now if I try mounting this NFS share by running
mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt
as root, I got:
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "nfs-srv-1:/"
mount: node: "/mnt"
mount: types: "nfs4"
mount: opts: "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep 3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/
and in the logs:
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for NFS-SRV-1$@MYCOMPANY.COM while getting keytab entry for 'NFS-SRV-1$@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'root/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server nfs@nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for NFS-SRV-1$@MYCOMPANY.COM while getting keytab entry for 'NFS-SRV-1$@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'root/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM while getting keytab entry for 'nfs/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/nfs-srv-1.mycompany.com@MYCOMPANY.COM'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server nfs@nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b
Contents of ticket cache (for a later execution, ignore timestamps pls...):
Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/nfs-srv-1.mycompany.com@MYCOMPANY.COM
Valid starting Expires Service principal
09/04/15 10:34:34 09/05/15 11:34:34 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 09/09/15 10:34:34
It seems that it finds my host credentials but fails to initialize the Kerberos 5 context. I have no idea what to do with this, could you please help me out?
Let me know if you need any more details.
Thanks a lot in advance.