[CentOS] Kerberos + NFSv4 difficulties

Dan Burkland dburklan at NMDP.ORG
Thu Dec 3 17:43:39 UTC 2009 

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Miguel Di Ciurcio Filho
Sent: Thursday, December 03, 2009 5:37 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

Dan Burkland wrote:
> 
> d.       SECURE_NFS = "yes"
> 

Uncomment this lines for a more much more verbose logging in 
/etc/sysconfig/nfs:

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

> 
> a.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in 
> gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide 
> more information - No principal in keytab matches desired name
> 
> b.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain 
> credentials for 'nfs'
> 
> c.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root 
> (machine) credentials
> 
> d.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab 
> entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
> 

Double check your /etc/krb5.keytab. On the server it must have the 
nfs/server.exemple.net key and on the client it must have 
nfs/client.exemple.net.


In idmapd.conf, leave it as the default:
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

Believe me, I've tried to understand[1] why Domain must be "localdomain" 
but I've no been lucky.

Regards,

Miguel

[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help!

Dan Burkland
NMDP Helpdesk Technician
3001 Broadway Street N. E. Suite 100, Minneapolis, MN 55413-1753 
 
Phone (612) 362-3411 Toll Free: (800) 526-7809 Ext. 8123

More information about the CentOS mailing list