[CentOS] Mount/automount fails with krb5-enabled nfs4

Hans Persson hans at ifm.liu.se
Fri Oct 22 08:45:25 UTC 2010 

tor 2010-10-21 klockan 10:34 -0700 skrev James A. Peltier:

> ----- Original Message -----
[...]
> Please post a copy of your /etc/* files listed above so that we might
> be able to look to make sure everything is correct.  You may want to
> look at ensuring that
> 
> SECURE_NFS="yes"
> RPCGSSDARGS="-vvv"
> RPCSVCGSSDARGS="-vvv"
> 
> is uncommented in /etc/sysconfig/nfs

Only the first line was uncommented previously. With all three, I get
this in /var/log/messages:

> Oct 22 09:45:46 pc13287 kernel: FS-Cache: Loaded
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: handling krb5 upcall 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: Using keytab file
>     '/etc/krb5.keytab' 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: INFO: Credentials in CC 
>     'MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE' are good until 1287817962 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using 
>     MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE as credentials cache for 
>     machine creds 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using environment variable to 
>     select krb5 ccache MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context using fsuid 
>     0 (save_uid 0) 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating tcp client for
>     server triangulum.ifm.liu.se 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context with server 
>     nfs at triangulum.ifm.liu.se 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: rpcsec_gss: 
>     gss_init_sec_context: (major) Unspecified GSS failure.  Minor 
>     code may provide more information - (minor) Unknown code krb5 60 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create 
>     krb5 context for user with uid 0 for server triangulum.ifm.liu.se 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create 
>     krb5 context for user with uid 0 with credentials cache 
>     MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE for server
>     triangulum.ifm.liu.se 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create 
>     krb5 context for user with uid 0 with any credentials cache for
>     server triangulum.ifm.liu.se 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: doing error downcall 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt1 
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt0 

I started tail -f on the log and then ran ssh hans at pc13287 in another
window. All the above appeared immediately, before I had entered any
password (and nothing was logged after entering the password).

> There might be others missing but we would be able to help best if we
> know the contents of these files

# grep -v '^#' /etc/sysconfig/nfs
SECURE_NFS="yes"
RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"


# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
130.236.170.165		pc13287
130.236.160.4   loghost.ifm.liu.se      loghost


# cat /etc/idmapd.conf
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = ifm.liu.se

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch


# cat /etc/krb5.conf
[libdefaults]
        default_realm = IFM.LIU.SE
 	default_tgs_enctypes = des-cbc-md5
 	default_tkt_enctypes = des-cbc-md5
#	udp_preference_limit = 0
 	dns_lookup_realm = false
 	dns_lookup_kdc = false
	allow_weak_crypto = true

[realms]
        IFM.LIU.SE = {
		kdc = as-slave-1.ifm.liu.se
                kdc = as-slave-2.ifm.liu.se
		kdc = as-master.ifm.liu.se
                admin_server = as-master.ifm.liu.se
        }
[... other realms deleted ...]

[domain_realm]
	.edu.isy.liu.se = STUDENT.LIU.SE
	.edu.ifm.liu.se = STUDENT.LIU.SE
	.edu.mai.liu.se = STUDENT.LIU.SE
	.ad.ifm.liu.se = AD.IFM.LIU.SE
	ifm.liu.se = IFM.LIU.SE
	.ifm.liu.se = IFM.LIU.SE
	isy.liu.se = ISY.LIU.SE
	.isy.liu.se = ISY.LIU.SE
	lysator.liu.se = LYSATOR.LIU.SE
	.lysator.liu.se = LYSATOR.LIU.SE
	.liu.se = AD.LIU.SE

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
	kdc_rotate = {
		period = 1d
		versions = 10
	}

[appdefaults]
	kinit = {
		renewable = true
		forwardable= true
	}
	gkadmin = {
		help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
	}


# cat /etc/host.conf 
order hosts,bind


# grep -v '^#' /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files nis
publickey:  nisplus
automount:  files nis
aliases:    files nisplus


# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ad.ifm.liu.se
nameserver 130.236.168.6
nameserver 130.236.168.7
nameserver 130.236.160.3


And while we're at it, this is how DNS looks:

# hostname
pc13287
# nslookup pc13287
Server:		130.236.168.6
Address:	130.236.168.6#53

Name:	pc13287.ad.ifm.liu.se
Address: 130.236.170.165

# nslookup 130.236.170.165
Server:		130.236.168.6
Address:	130.236.168.6#53

165.170.236.130.in-addr.arpa	name = pc13287.ad.ifm.liu.se.


Hans

More information about the CentOS mailing list