Hey All,
I recently have been trying to setup an NFSv4 share that utilizes Kerberos. My experience in general with NFS is very slim however I feel like I am very close to getting this project completed. Currently I have the following things in place: 1) NFS server nfs.example.net (VM#2) - Running CentOS 5.4 with all of the latest updates and NFS-related packages 2) Kerberos KDC running on Kerberos.example.net (VM#1) - Running CentOS 5.4 with all of the latest updates 3) NFS client nfs-client.example.net (VM#3) - Running CentOS 5.4 with all of the latest updates
Before I give you the error message I receive when I enable NFS, I'll first describe my setup process.
1) Verified Kerberos works on all machines by attempting a kinit testuser which worked properly. 2) Verified that the clocks on all machines represent the same time (synced using a local NTP server) 3) Created a service principle for nfs.example.net by performing the following commands on the nfs.example.net machine: - (Performed on NFS server) a. kadmin (Logged in as an admin principle) b. addprinc -randkey nfs/nfs.example.net c. ktadd -e des-cbc-crc:normal nfs/nfs.example.net d. quit e. kinit nfs/nfs.example.net -k -t /etc/krb5.keytab f. klist to verify 4) Edited /etc/idmapd.conf with the following changes: - (Performed on NFS server) a. changed Nobody-{User,Group} to nfsnobody b. changed Domain to nfs.example.net 5) Mkdir /nfs/ - (Performed on NFS server) 6) Added the following to /etc/exports - (Performed on NFS server) a. /nfs gss/krb5p(rw,sync,fsid=0) 7) exportfs -rv - (Performed on NFS server) 8) Verified all relevant nfs services were stopped - (Performed on NFS server) 9) Uncommented and made the following changes to /etc/sysconfig/nfs - (Performed on NFS server) a. MOUNTD_NFS_V1="no" b. MOUNTD_NFS_V2="no" c. RPCNFSDARGS="-N 2 -N 3 -U" d. SECURE_NFS = "yes" 10) /etc/init.d/portmap start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs start - (Performed on NFS server) 11) And I receive the following output when the nfs service starts: a. Starting RPC svcgssd: FAILED b. Starting NFS Services: OK c. Starting NFS quotas: OK d. Starting NFS daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory e. NFSD: starting 90-second grace period f. Starting NFS mountd: OK 12) I then checked /var/log/messages to find the following log entries: a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs' c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
I seem to be stuck at this point and would appreciate your insight.
Thank you,
Dan
Dan Burkland wrote:
d. SECURE_NFS = “yes”
Uncomment this lines for a more much more verbose logging in /etc/sysconfig/nfs:
RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name
b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'
c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials
d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Double check your /etc/krb5.keytab. On the server it must have the nfs/server.exemple.net key and on the client it must have nfs/client.exemple.net.
In idmapd.conf, leave it as the default: [General]
Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain
[Mapping]
Nobody-User = nobody Nobody-Group = nobody
[Translation] Method = nsswitch
Believe me, I've tried to understand[1] why Domain must be "localdomain" but I've no been lucky.
Regards,
Miguel
[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Miguel Di Ciurcio Filho Sent: Thursday, December 03, 2009 5:37 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties
Dan Burkland wrote:
d. SECURE_NFS = "yes"
Uncomment this lines for a more much more verbose logging in /etc/sysconfig/nfs:
RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name
b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'
c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials
d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Double check your /etc/krb5.keytab. On the server it must have the nfs/server.exemple.net key and on the client it must have nfs/client.exemple.net.
In idmapd.conf, leave it as the default: [General]
Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain
[Mapping]
Nobody-User = nobody Nobody-Group = nobody
[Translation] Method = nsswitch
Believe me, I've tried to understand[1] why Domain must be "localdomain" but I've no been lucky.
Regards,
Miguel
[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________
I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help!
Dan Burkland NMDP Helpdesk Technician 3001 Broadway Street N. E. Suite 100, Minneapolis, MN 55413-1753
Phone (612) 362-3411 Toll Free: (800) 526-7809 Ext. 8123
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Dan Burkland Sent: Thursday, December 03, 2009 11:44 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Miguel Di Ciurcio Filho Sent: Thursday, December 03, 2009 5:37 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties
Dan Burkland wrote:
d. SECURE_NFS = "yes"
Uncomment this lines for a more much more verbose logging in /etc/sysconfig/nfs:
RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name
b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'
c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials
d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Double check your /etc/krb5.keytab. On the server it must have the nfs/server.exemple.net key and on the client it must have nfs/client.exemple.net.
In idmapd.conf, leave it as the default: [General]
Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain
[Mapping]
Nobody-User = nobody Nobody-Group = nobody
[Translation] Method = nsswitch
Believe me, I've tried to understand[1] why Domain must be "localdomain" but I've no been lucky.
Regards,
Miguel
[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________
I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________
I finally figured out what the heck was causing the problem, it was the following line in my /etc/hosts file: 127.0.0.1 localhost localhost.localdomain nfs.example.net nfs
Once I removed the "nfs.example.net" & "nfs" entries the rpc.svcgssd service started fine.
Regards,
Dan
-
Dan Burkland -
Miguel Di Ciurcio Filho