[13.2] NFS issues

soundlord · November 16, 2017, 5:50pm

Greetings.

Since the 16th of november 2017, I receive in the system journal errors concerning the NFS server calles antares running LEAP 42.2.

Nov 16 17:36:47 sirius.dezordi.world rpc.gssd[1771]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host antares.dezordi.world
Nov 16 17:36:47 sirius.dezordi.world rpc.gssd[1770]: ERROR: No credentials found for connection to server antares.dezordi.world
Nov 16 17:36:47 sirius.dezordi.world rpc.gssd[1770]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host antares.dezordi.world
Nov 16 17:36:47 sirius.dezordi.world rpc.gssd[1769]: ERROR: No credentials found for connection to server antares.dezordi.world
Nov 16 17:36:47 sirius.dezordi.world rpc.gssd[1769]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host antares.dezordi.world

I did an update concerning some security holes and since it seems something is missing in my configuration.

I do not want to use GSS security so both client (sirius) and server (antares) are not configured to use it… should I ?
I opened the port 111 on both computers (if I close it there is no more connection between sirius and antares).

Is someone able to explain why those messages strangely appeared ?

deano_ferrari · November 19, 2017, 5:54am

Can you show us how /etc/sysconfig/nfs is configured on your server?

https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.nfs.html

soundlord · November 21, 2017, 10:51pm


USE_KERNEL_NFSD_NUMBER="16"

MOUNTD_PORT="4001"

NFS_SECURITY_GSS="no"

NFS3_SERVER_SUPPORT="yes"

NFS4_SUPPORT="yes"

SM_NOTIFY_OPTIONS=""

NFS_START_SERVICES="yes"

STATD_OPTIONS=""

NFSV4LEASETIME=""

RPC_PIPEFS_DIR=""

SVCGSSD_OPTIONS=""

NFSD_OPTIONS=""

GSSD_OPTIONS=""

NFS4_SERVER_MINOR_VERSION="0"

MOUNTD_OPTIONS=""

NFS_GSSD_AVOID_DNS="no"

STATD_PORT=""

STATD_HOSTNAME=""

LOCKD_TCPPORT=""

LOCKD_UDPPORT=""

I have the feeling that the default security scheme is no more “sys” but “kbr” (kerberos)…

deano_ferrari · November 22, 2017, 12:32am

soundlord:


USE_KERNEL_NFSD_NUMBER="16"

MOUNTD_PORT="4001"

NFS_SECURITY_GSS="no"

NFS3_SERVER_SUPPORT="yes"

NFS4_SUPPORT="yes"

SM_NOTIFY_OPTIONS=""

NFS_START_SERVICES="yes"

STATD_OPTIONS=""

NFSV4LEASETIME=""

RPC_PIPEFS_DIR=""

SVCGSSD_OPTIONS=""

NFSD_OPTIONS=""

GSSD_OPTIONS=""

NFS4_SERVER_MINOR_VERSION="0"

MOUNTD_OPTIONS=""

NFS_GSSD_AVOID_DNS="no"

STATD_PORT=""

STATD_HOSTNAME=""

LOCKD_TCPPORT=""

LOCKD_UDPPORT=""

I have the feeling that the default security scheme is no more “sys” but “kbr” (kerberos)…

Perhaps. Try disabling NSFv4 and observe if the shares then mount without error (mounted using NFSv3 on client).

An old bug report describing similar behaviour…
https://bugzilla.opensuse.org/show_bug.cgi?id=916736

soundlord · November 22, 2017, 8:41am

Greetings and thank you for the help ^^

I tried to set sec=sys in the /etc/nfsmount.conf file.

It works !!
The exports are mounted and the client no more displays the error messages.

It seems, but I never dig deeper, nfs server set kerberos as the default security instead of sys.

deano_ferrari · November 22, 2017, 10:00am

Yes, but perhaps that is the case when the default version is NFSv4. I haven’t checked this in depth either.