Results 1 to 3 of 3

Thread: OpenSuse 11.3 nfsv4: client to nfs4 server (OpsenSuse11.0) with kerberos does not work!

  1. #1

    Unhappy OpenSuse 11.3 nfsv4: client to nfs4 server (OpsenSuse11.0) with kerberos does not work!

    After installing OpenSuse 11.3 on a client I am trying to mount the home-share via nfsv4/krb5 on the OpenSuse 11.0 server.
    Userlogin via ldap/krb5 works fine. Kerberos login via kinit works also.
    Only mounting the share with sec=krb5 gives the error message
    mount.nfs4: access denied by server while mounting server.domain:/home
    I get a machine credential
    Mounting without sec=krb5 works fine.
    GSS/krb5 works fine with all other clients under OpenSuse 11.0, 11.1 and 11.2.

    Is there a incompatibility between krb5 on 11.3 and 11.0? Ha anyone experienced the same problems?
    Any help is appreciated.

    Emil

  2. #2

    Default Re: OpenSuse 11.3 nfsv4: client to nfs4 server (OpsenSuse11.0) with kerberos does not work!

    Some additional infos:
    While calling mount I get the following output from rc.gssd -frrrvvv:

    Warning: rpcsec_gss library does not support setting debug level
    beginning poll
    handling krb5 upcall
    Full hostname for 'server.domain' is 'server.domain'
    Full hostname for 'client.domain' is 'client.domain'
    Success getting keytab entry for 'root/client.domain@DOMAIN'
    Successfully obtained machine credentials for principal 'root/client.domain@DOMAIN' stored in ccache 'FILE:/tmp/krb5cc_machine_DOMAIN'
    INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAIN' are good until 1280277201
    using FILE:/tmp/krb5cc_machine_DOMAIN as credentials cache for machine creds
    using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAIN
    creating context using fsuid 0 (save_uid 0)
    creating tcp client for server server.domain
    DEBUG: port already set to 2049
    creating context with server nfs@server.domain
    WARNING: Failed to create krb5 context for user with uid 0 for server server.domain
    WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_DOMAIN for server server.domain
    WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.domain
    Full hostname for 'server.domain' is 'server.domain'
    Full hostname for 'client.domain' is 'client.domain'
    Success getting keytab entry for 'root/client.domain@DOMAIN'
    Successfully obtained machine credentials for principal 'root/client.domain@DOMAIN' stored in ccache 'FILE:/tmp/krb5cc_machine_DOMAIN'
    INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAIN' are good until 1280277201
    using FILE:/tmp/krb5cc_machine_DOMAIN as credentials cache for machine creds
    using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAIN
    creating context using fsuid 0 (save_uid 0)
    creating tcp client for server server.domain
    DEBUG: port already set to 2049
    creating context with server nfs@server.domain
    WARNING: Failed to create krb5 context for user with uid 0 for server server.domain
    WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_DOMAIN for server server.domain
    WARNING: Failed to create machine krb5 context with any credentials cache for server server.domain
    doing error downcall
    destroying client clnt2e
    At the same time rpc.svcgssd -frrriiivvv does not output anything.
    All firewalls are off in this test...
    The same procedure from older clients works fine and produces messages on the server....
    The server is only contacted via krb5 but not via gss.

    May be this info is helpful.

    Emil

  3. #3

    Smile Re: OpenSuse 11.3 nfsv4: client to nfs4 server (OpsenSuse11.0) with kerberos does not work!

    Closing my monolog:
    according to
    Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 -- Linux NFS
    adding to /etc/krb5.conf:
    [libdefaults]
    allow_weak_crypto = true

    solved the incompatibility between krb5 1.8.1 and 1.6.3... by allowing des keys.

    Maybe this helps someone else.

    Emil

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •