Hi,
I know next to nothing about Kerberos, and I’m trying to create an export on OpenSuse 13.1 with sec=krb5 but I keep getting:
rjmuser@host14:~> mount /mnt/nfs/temporary_mount
mount.nfs: access denied by server while mounting host14.domain.com:/srv/nfs/kerberos_export01
The node I’m using is both client and server for NFS. The KDC is a Windows 2008R2 Active Directory and the /etc/krb5.conf file is:
rjmuser@host14:~> cat /etc/krb5.conf
[libdefaults]
default_realm = RJMDOMAIN2008.LOCAL
allow_weak_crypto = true
[realms]
RJMDOMAIN2008.LOCAL = {
kdc = x.x.x.x
admin_server = x.x.x.x
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
host14.domain.com = RJMDOMAIN2008.LOCAL
The /etc/fstab entry is:
host14.domain.com:/srv/nfs/kerberos_export01 /mnt/nfs/temporary_mount nfs rw,user,nolock,noauto,sec=krb5 0 0
I have set up /etc/krb5.keytab with:
rjmuser@host14:~> klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-crc)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-md5)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (arcfour-hmac)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (aes256-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 host/host14.domain.com@RJMDOMAIN2008.LOCAL (aes128-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-crc)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (des-cbc-md5)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (arcfour-hmac)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (aes256-cts-hmac-sha1-96)
3 02/08/2017 17:07:42 nfs/host14.domain.com@RJMDOMAIN2008.LOCAL (aes128-cts-hmac-sha1-96)
I can kinit the nfs/…:
rjmuser@host14:~> kinit nfs/host14.domain.com@RJMDOMAIN2008.LOCAL -k -t /etc/krb5.keytab
rjmuser@host14:~> klist
Ticket cache: DIR::/run/user/36001/krb5cc/tktGJWoHg
Default principal: nfs/host14.domain.com@RJMDOMAIN2008.LOCAL
Valid starting Expires Service principal
02/09/2017 12:37:08 02/09/2017 22:37:08 krbtgt/RJMDOMAIN2008.LOCAL@RJMDOMAIN2008.LOCAL
renew until 02/10/2017 12:37:50
The user can also authenticate with issue:
rjmuser@host14:~> kinit
Password for rjmuser@RJMDOMAIN2008.LOCAL:
rjmuser@cag14:~> klist
Ticket cache: DIR::/run/user/36001/krb5cc/tktGJWoHg
Default principal: rjmuser@RJMDOMAIN2008.LOCAL
Valid starting Expires Service principal
02/09/2017 12:40:58 02/09/2017 22:40:58 krbtgt/RJMDOMAIN2008.LOCAL@RJMDOMAIN2008.LOCAL
renew until 02/10/2017 12:41:36
Checking rpc.gssd I see:
…
DEBUG: port already set to 2049
creating context with server nfs@host14.domain.com
WARNING: Failed to create krb5 context for user with uid 0 for server host14.domain.com
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_RJMDOMAIN2008.LOCAL for server host14.domain.com
WARNING: Failed to create machine krb5 context with any credentials cache for server host14.domain.com
doing error downcall
…
So I’m not sure what’s going wrong here. Any suggestions?
Thanks,
Rob