I have a problem that is driving me crazy. Our nfs server is running Solaris. Most clients mount directories from it with no problems, but not all. All clients that have problems run CentOS (5.4 and 5.5). I've found one or two of each version that fail, but also a couple of each version that work.
The mounting is done for user home directories via autofs but that doesn't seem to make any difference, the same problem appears when trying to mount manually. Kerberos is used for authentication.
When I try to mount a directory manually I get this:
# mount -vvvv -t nfs4 -o sec=krb5 \ triangulum.ifm.liu.se:/export/users/hans /mnt mount: pinging: prog 100003 vers 4 prot tcp port 2049 mount.nfs4: Permission denied
I get this in /var/log/messages:
Oct 15 15:15:12 pc13287 rpc.gssd[2780]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) Unknown code krb5 60 Oct 15 15:15:12 pc13287 rpc.gssd[2780]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server triangulum.ifm.liu.se
The machines that can mount the disk differ slightly in what they log. Some log nothing, others this:
Oct 19 13:26:01 pc14113 rpc.gssd[2793]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Unknown code krb5 195 Oct 19 13:26:01 pc14113 rpc.gssd[2793]: WARNING: Failed to create krb5 context for user with uid 121 for server triangulum.ifm.liu.se
Note that there is still an error logged in the first line, but a different one. In the second line, the uid if the user changes from 0 (I'm logged in as root when doing both tests) to 121 (which is the uid of the user owning the home directory I'm trying to mount in both cases). Perhaps this is a clue, but I don't know what it tries to tell me.
I can't find any relevant differences in configuration. I've gone through files in /etc on a working and a non-working machine looking for changes but not finding anything relevant in /etc/sysconfig/nfs, /etc/hosts, /etc/idmapd.conf, /etc/krb5.conf, /etc/host.conf, /etc/nsswitch.conf, /etc/resolv.conf and others.
SELinux is not running.
This is what the keytab looks like on both working and non-working machines:
# klist -k -e Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5) 3 nfs/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5)
I have an yp master and an yp slave, but there are both working and non-working clients connected to both of them.
There is plenty of space in /tmp and it is writable by all.
Among the total set of clients there are multiple versions of nfs-utils and kernel used, but I can pick a set of one working and one non-working client that have the same versions for both (nfs-utils-1.0.9-47.el5_5 and kernel-2.6.18-194.17.1.el5) so that doesn't appear to be the problem. I've tried yum reinstall for the nfs package to no effect. That doesn't work for the kernel package, but I've compared the md5 sums for the gss modules between a working and a non-working machine and found no differences.
Obviously, I need to check something else, but what? Please help!
Hans
i work under proxy and i whant add php by using yum but i can't , and i can't accec to add/move application (i am root) ??
From: mehdi mehdimehdig@gmail.com
i work under proxy and i whant add php by using yum but i can't , and i can't accec to add/move application (i am root) ??
First, stop hijacking others threads... create a new one. Solution to your problem: http://tinyurl.com/ydeyaqo
JD
----- Original Message ----- | I have a problem that is driving me crazy. Our nfs server is running | Solaris. Most clients mount directories from it with no problems, but | not all. All clients that have problems run CentOS (5.4 and 5.5). I've | found one or two of each version that fail, but also a couple of each | version that work. | | The mounting is done for user home directories via autofs but that | doesn't seem to make any difference, the same problem appears when | trying to mount manually. Kerberos is used for authentication. | | When I try to mount a directory manually I get this: | | # mount -vvvv -t nfs4 -o sec=krb5 \ | triangulum.ifm.liu.se:/export/users/hans /mnt | mount: pinging: prog 100003 vers 4 prot tcp port 2049 | mount.nfs4: Permission denied | | I get this in /var/log/messages: | | Oct 15 15:15:12 pc13287 rpc.gssd[2780]: rpcsec_gss: | gss_init_sec_context: (major) Unspecified GSS failure. | Minor code may provide more information - (minor) Unknown | code krb5 60 | Oct 15 15:15:12 pc13287 rpc.gssd[2780]: WARNING: Failed to create | krb5 context for user with uid 0 with any credentials cache for | server triangulum.ifm.liu.se | | The machines that can mount the disk differ slightly in what they log. | Some log nothing, others this: | | Oct 19 13:26:01 pc14113 rpc.gssd[2793]: ERROR: GSS-API: error in | gss_acquire_cred(): Unspecified GSS failure. Minor code may | provide more information - Unknown code krb5 195 | Oct 19 13:26:01 pc14113 rpc.gssd[2793]: WARNING: Failed to create | krb5 context for user with uid 121 for server | triangulum.ifm.liu.se | | Note that there is still an error logged in the first line, but a | different one. In the second line, the uid if the user changes from 0 | (I'm logged in as root when doing both tests) to 121 (which is the uid | of the user owning the home directory I'm trying to mount in both | cases). Perhaps this is a clue, but I don't know what it tries to tell | me. | | I can't find any relevant differences in configuration. I've gone | through files in /etc on a working and a non-working machine looking | for | changes but not finding anything relevant in /etc/sysconfig/nfs, | /etc/hosts, /etc/idmapd.conf, /etc/krb5.conf, /etc/host.conf, | /etc/nsswitch.conf, /etc/resolv.conf and others. | | SELinux is not running. | | This is what the keytab looks like on both working and non-working | machines: | | # klist -k -e | Keytab name: FILE:/etc/krb5.keytab | KVNO Principal | ---- | -------------------------------------------------------------------------- | 3 host/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5) | 3 nfs/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5) | | I have an yp master and an yp slave, but there are both working and | non-working clients connected to both of them. | | There is plenty of space in /tmp and it is writable by all. | | Among the total set of clients there are multiple versions of | nfs-utils | and kernel used, but I can pick a set of one working and one | non-working | client that have the same versions for both (nfs-utils-1.0.9-47.el5_5 | and kernel-2.6.18-194.17.1.el5) so that doesn't appear to be the | problem. I've tried yum reinstall for the nfs package to no effect. | That | doesn't work for the kernel package, but I've compared the md5 sums | for | the gss modules between a working and a non-working machine and found | no | differences. | | Obviously, I need to check something else, but what? Please help! | | Hans | | | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos
Please post a copy of your /etc/* files listed above so that we might be able to look to make sure everything is correct. You may want to look at ensuring that
SECURE_NFS="yes" RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
is uncommented in /etc/sysconfig/nfs
There might be others missing but we would be able to help best if we know the contents of these files
-- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca MSN : subatomic_spam@hotmail.com
Does your OS has a man 8 lart? http://www.xinu.nl/unix/humour/asr-manpages/lart.html
For what its worth, every time that I've tried kerberized NFS with RHEL, I've run into issues unless I was running the latest version of mount-utils, which I _think_ included rpc.gssd and rpc.svcgssd.
My memory may be failing, and I'll look later, but my recollection is that it was very sensitive to those.
(apologies for top-posting)
On 10/21/2010 01:34 PM, James A. Peltier wrote:
----- Original Message ----- | I have a problem that is driving me crazy. Our nfs server is running | Solaris. Most clients mount directories from it with no problems,
----- Original Message ----- | For what its worth, every time that I've tried kerberized NFS with | RHEL, | I've run into issues unless I was running the latest version of | mount-utils, which I _think_ included rpc.gssd and rpc.svcgssd. | | My memory may be failing, and I'll look later, but my recollection is | that it was very sensitive to those. | | (apologies for top-posting) | | On 10/21/2010 01:34 PM, James A. Peltier wrote: | > ----- Original Message ----- | > | I have a problem that is driving me crazy. Our nfs server is | > | running | > | Solaris. Most clients mount directories from it with no problems, | | -- | -- John E. Jasen (jjasen@realityfailure.org) | -- "Deserve Victory." -- Terry Goodkind, Naked Empire | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos
nfs-utils is also a package of issue.
tor 2010-10-21 klockan 17:21 -0700 skrev James A. Peltier:
| I've run into issues unless I was running the latest version of | mount-utils, which I _think_ included rpc.gssd and rpc.svcgssd.
nfs-utils is also a package of issue.
Neither working nor non-working machines have any mount-utils package installed.
On the other hand, rpc.gssd and rpc.svcgssd are both included in nfs-utils which both a working and a non-working client are running the same version of (nfs-utils-1.0.9-47.el5_5).
Hans
tor 2010-10-21 klockan 10:34 -0700 skrev James A. Peltier:
----- Original Message -----
[...]
Please post a copy of your /etc/* files listed above so that we might be able to look to make sure everything is correct. You may want to look at ensuring that
SECURE_NFS="yes" RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
is uncommented in /etc/sysconfig/nfs
Only the first line was uncommented previously. With all three, I get this in /var/log/messages:
Oct 22 09:45:46 pc13287 kernel: FS-Cache: Loaded Oct 22 09:45:46 pc13287 rpc.gssd[2609]: handling krb5 upcall Oct 22 09:45:46 pc13287 rpc.gssd[2609]: Using keytab file '/etc/krb5.keytab' Oct 22 09:45:46 pc13287 rpc.gssd[2609]: INFO: Credentials in CC 'MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE' are good until 1287817962 Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE as credentials cache for machine creds Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using environment variable to select krb5 ccache MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context using fsuid 0 (save_uid 0) Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating tcp client for server triangulum.ifm.liu.se Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context with server nfs@triangulum.ifm.liu.se Oct 22 09:45:46 pc13287 rpc.gssd[2609]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) Unknown code krb5 60 Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create krb5 context for user with uid 0 for server triangulum.ifm.liu.se Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE for server triangulum.ifm.liu.se Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server triangulum.ifm.liu.se Oct 22 09:45:46 pc13287 rpc.gssd[2609]: doing error downcall Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt1 Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt0
I started tail -f on the log and then ran ssh hans@pc13287 in another window. All the above appeared immediately, before I had entered any password (and nothing was logged after entering the password).
There might be others missing but we would be able to help best if we know the contents of these files
# grep -v '^#' /etc/sysconfig/nfs SECURE_NFS="yes" RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 130.236.170.165 pc13287 130.236.160.4 loghost.ifm.liu.se loghost
# cat /etc/idmapd.conf [General]
Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = ifm.liu.se
[Mapping]
Nobody-User = nobody Nobody-Group = nobody
[Translation] Method = nsswitch
# cat /etc/krb5.conf [libdefaults] default_realm = IFM.LIU.SE default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 # udp_preference_limit = 0 dns_lookup_realm = false dns_lookup_kdc = false allow_weak_crypto = true
[realms] IFM.LIU.SE = { kdc = as-slave-1.ifm.liu.se kdc = as-slave-2.ifm.liu.se kdc = as-master.ifm.liu.se admin_server = as-master.ifm.liu.se } [... other realms deleted ...]
[domain_realm] .edu.isy.liu.se = STUDENT.LIU.SE .edu.ifm.liu.se = STUDENT.LIU.SE .edu.mai.liu.se = STUDENT.LIU.SE .ad.ifm.liu.se = AD.IFM.LIU.SE ifm.liu.se = IFM.LIU.SE .ifm.liu.se = IFM.LIU.SE isy.liu.se = ISY.LIU.SE .isy.liu.se = ISY.LIU.SE lysator.liu.se = LYSATOR.LIU.SE .lysator.liu.se = LYSATOR.LIU.SE .liu.se = AD.LIU.SE
[logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 }
[appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 }
# cat /etc/host.conf order hosts,bind
# grep -v '^#' /etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis hosts: files nis dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files nis publickey: nisplus automount: files nis aliases: files nisplus
# cat /etc/resolv.conf ; generated by /sbin/dhclient-script search ad.ifm.liu.se nameserver 130.236.168.6 nameserver 130.236.168.7 nameserver 130.236.160.3
And while we're at it, this is how DNS looks:
# hostname pc13287 # nslookup pc13287 Server: 130.236.168.6 Address: 130.236.168.6#53
Name: pc13287.ad.ifm.liu.se Address: 130.236.170.165
# nslookup 130.236.170.165 Server: 130.236.168.6 Address: 130.236.168.6#53
165.170.236.130.in-addr.arpa name = pc13287.ad.ifm.liu.se.
Hans
-
Hans Persson -
James A. Peltier -
John Doe -
John Jasen -
mehdi