Hey All,

 

I recently have been trying to setup an NFSv4 share that utilizes Kerberos. My experience in general with NFS is very slim however I feel like I am very close to getting this project completed. Currently I have the following things in place:

1) NFS server nfs.example.net (VM#2) – Running CentOS 5.4 with all of the latest updates and NFS-related packages

2) Kerberos KDC running on Kerberos.example.net (VM#1) – Running CentOS 5.4 with all of the latest updates

3) NFS client nfs-client.example.net (VM#3) – Running CentOS 5.4 with all of the latest updates

 

Before I give you the error message I receive when I enable NFS, I’ll first describe my setup process.

 

1)       Verified Kerberos works on all machines by attempting a kinit testuser which worked properly.

2)       Verified that the clocks on all machines represent the same time (synced using a local NTP server)

3)       Created a service principle for nfs.example.net by performing the following commands on the nfs.example.net machine: - (Performed on NFS server)

a.       kadmin (Logged in as an admin principle)

b.       addprinc –randkey nfs/nfs.example.net

c.       ktadd –e des-cbc-crc:normal nfs/nfs.example.net

d.       quit

e.       kinit nfs/nfs.example.net –k –t /etc/krb5.keytab

f.         klist to verify

4)       Edited /etc/idmapd.conf with the following changes: - (Performed on NFS server)

a.       changed Nobody-{User,Group} to nfsnobody

b.       changed Domain to nfs.example.net

5)       Mkdir /nfs/ - (Performed on NFS server)

6)       Added the following to /etc/exports - (Performed on NFS server)

a.       /nfs gss/krb5p(rw,sync,fsid=0)

7)       exportfs –rv - (Performed on NFS server)

8)       Verified all relevant nfs services were stopped - (Performed on NFS server)

9)       Uncommented and made the following changes to /etc/sysconfig/nfs - (Performed on NFS server)

a.       MOUNTD_NFS_V1=”no”

b.       MOUNTD_NFS_V2=”no”

c.       RPCNFSDARGS=”-N 2 -N 3 -U”

d.       SECURE_NFS = “yes”

10)   /etc/init.d/portmap start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs start - (Performed on NFS server)

11)   And I receive the following output when the nfs service starts:

a.       Starting RPC svcgssd: FAILED

b.       Starting NFS Services: OK

c.       Starting NFS quotas: OK

d.       Starting NFS daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory

e.       NFSD: starting 90-second grace period

f.         Starting NFS mountd: OK

12)   I then checked /var/log/messages to find the following log entries:

a.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more information - No principal in keytab matches desired name

b.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'

c.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials

d.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

 

I seem to be stuck at this point and would appreciate your insight.

 

Thank you,

 

Dan