Kerberos: mount.nfs: access denied by server while mounting

Question

An IPA server providing DNS, NTP and Kerberos auth to two of my lab servers, when tried to mount a Kerberised NFS share, I am getting this error:

mount.nfs: access denied by server while mounting

DNS, NTP stratum and User Auth via Kerberos works fine, only NFS shares are not getting mounted.

On NFS server:

[root@server5 secureshare]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/server5.example.com@EXAMPLE.COM
   3 host/server5.example.com@EXAMPLE.COM
   3 nfs/server5.example.com@EXAMPLE.COM
   3 nfs/server5.example.com@EXAMPLE.COM
[root@server5 secureshare]# klist -l
Principal name                 Cache name
--------------                 ----------
admin@EXAMPLE.COM              KEYRING:persistent:0:0

On Client:

[root@server6 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/server6.example.com@EXAMPLE.COM
   4 host/server6.example.com@EXAMPLE.COM
   3 nfs/server6.example.com@EXAMPLE.COM
   3 nfs/server6.example.com@EXAMPLE.COM
[root@server6 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
host/server6.example.com@EXAMP KEYRING:persistent:0:krb_ccache_9N4UHQt (Expired)
admin@EXAMPLE.COM              KEYRING:persistent:0:krb_ccache_h4clFv7
[root@server6 ~]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*labipa.example. 139.59.50.38     3 u   56  128  177    0.316  -773.02  31.477
 LOCAL(0)        .LOCL.           5 l  266   64  360    0.000    0.000   0.000

On IPA server, I see these errors in krb5kdc logs for both nodes:

Mar 08 13:53:07 labipa.example.com krb5kdc[2322](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.4.151: NEEDED_PREAUTH: host/server6.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required

What could possibly lead to this error. nfs-secure service is also running on both nodes.

score 0 · Accepted Answer · answered Mar 09 '19 at 06:31

Found it, ntpd was not synced properly on the IPA server, I had to comment out a few lines:

### Added by IPA Installer ###
#server 127.127.1.0 iburst
#fudge 127.127.1.0 stratum 10

And had to make sure, it uses the ntp pool provided by Centos, after that the stratum on IPA changed to 2, and on my servers to 3.

And it got mounted with no issues whatsoever:

[root@server6 ~]# mount -t nfs -vvv -o sec=krb5p server5.example.com:/srv/secureshare /mnt/securenfs
mount.nfs: timeout set for Sat Mar  9 01:23:02 2019
mount.nfs: trying text-based options 'sec=krb5p,vers=4.1,addr=192.168.4.150,clientaddr=192.168.4.151'


server5.example.com:/srv/secureshare   17G  1.3G   16G   8% /mnt/securenfs

please accept your own answer – kofemann Mar 10 '19 at 00:04 — kofemann, Mar 10 '19 at 00:04

Kerberos: mount.nfs: access denied by server while mounting

1 Answers1