Permission denied for kerberized NFS mount

Hi,

I know next to nothing about Kerberos, and I’m trying to create an export on OpenSuse 13.1 with sec=krb5 but I keep getting:

rjmuser@host14:~> mount /mnt/nfs/temporary_mount
mount.nfs: access denied by server while mounting host14.domain.com:/srv/nfs/kerberos_export01

The node I’m using is both client and server for NFS. The KDC is a Windows 2008R2 Active Directory and the /etc/krb5.conf file is:

rjmuser@host14:~> cat /etc/krb5.conf
[libdefaults]
default_realm = RJMDOMAIN2008.LOCAL
allow_weak_crypto = true

[realms]
RJMDOMAIN2008.LOCAL = {
kdc = x.x.x.x
admin_server = x.x.x.x
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
host14.domain.com = RJMDOMAIN2008.LOCAL

The /etc/fstab entry is:

host14.domain.com:/srv/nfs/kerberos_export01 /mnt/nfs/temporary_mount nfs rw,user,nolock,noauto,sec=krb5 0 0

I have set up /etc/krb5.keytab with:

rjmuser@host14:~> klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal


3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-crc)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-md5)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (arcfour-hmac)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (aes256-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (aes128-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-crc)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-md5)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (arcfour-hmac)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (aes256-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (aes128-cts-hmac-sha1-96)

I can kinit the nfs/…:

rjmuser@host14:~> kinit nfs/host14.domain.com@RJMDOMAIN2008.LOCAL -k -t /etc/krb5.keytab
rjmuser@host14:~> klist
Ticket cache: DIR::/run/user/36001/krb5cc/tktGJWoHg
Default principal: nfs/host14.domain.com@RJMDOMAIN2008.LOCAL

Valid starting Expires Service principal
02/09/2017 12:37:08 02/09/2017 22:37:08 krbtgt/RJMDOMAIN2008.LOCAL@RJMDOMAIN2008.LOCAL
renew until 02/10/2017 12:37:50

The user can also authenticate with issue:

rjmuser@host14:~> kinit
Password for rjmuser@RJMDOMAIN2008.LOCAL:
rjmuser@cag14:~> klist
Ticket cache: DIR::/run/user/36001/krb5cc/tktGJWoHg
Default principal: rjmuser@RJMDOMAIN2008.LOCAL

Valid starting Expires Service principal
02/09/2017 12:40:58 02/09/2017 22:40:58 krbtgt/RJMDOMAIN2008.LOCAL@RJMDOMAIN2008.LOCAL
renew until 02/10/2017 12:41:36

Checking rpc.gssd I see:


DEBUG: port already set to 2049
creating context with server nfs@host14.domain.com
WARNING: Failed to create krb5 context for user with uid 0 for server host14.domain.com
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_RJMDOMAIN2008.LOCAL for server host14.domain.com
WARNING: Failed to create machine krb5 context with any credentials cache for server host14.domain.com
doing error downcall

So I’m not sure what’s going wrong here. Any suggestions?

Thanks,

Rob

openSUSE community documentation on Kerberos in general
https://doc.opensuse.org/documentation/leap/security/html/book.security/part.auth.html

openSUSE community documentation on setting up an NFS mount (including info about kerberos)
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.nfs.html

From the above,

  • Using the YaST module might be an easy solution to your problems.
  • Like everything else regarding security, you need to describe your entire security setup including relevant details, in this case what is your Kerberos Authentication Server (Active Directory? openLDAP? something else?), and it can help also if you have kerberos already working for other uses so you can more or less assume that the Server side is working properly so you can concentrate only on Client side configuration.

Remember if you want to try out a completely new approach (like using YaST) that you clean out everything you’ve done to avoid potential conflicts.
Another approach might be to set up a new virtual machine, get your NFS mount working and then return to your current machine.

TSU