[CentOS] Kerberos + NFSv4 difficulties

Wed Dec 2 18:24:48 UTC 2009
Dan Burkland <dburklan at NMDP.ORG>

Hey All,

I recently have been trying to setup an NFSv4 share that utilizes Kerberos. My experience in general with NFS is very slim however I feel like I am very close to getting this project completed. Currently I have the following things in place:
1) NFS server nfs.example.net (VM#2) - Running CentOS 5.4 with all of the latest updates and NFS-related packages
2) Kerberos KDC running on Kerberos.example.net (VM#1) - Running CentOS 5.4 with all of the latest updates
3) NFS client nfs-client.example.net (VM#3) - Running CentOS 5.4 with all of the latest updates

Before I give you the error message I receive when I enable NFS, I'll first describe my setup process.

1)       Verified Kerberos works on all machines by attempting a kinit testuser which worked properly.
2)       Verified that the clocks on all machines represent the same time (synced using a local NTP server)
3)       Created a service principle for nfs.example.net by performing the following commands on the nfs.example.net machine: - (Performed on NFS server)
a.       kadmin (Logged in as an admin principle)
b.       addprinc -randkey nfs/nfs.example.net
c.       ktadd -e des-cbc-crc:normal nfs/nfs.example.net
d.       quit
e.       kinit nfs/nfs.example.net -k -t /etc/krb5.keytab
f.         klist to verify
4)       Edited /etc/idmapd.conf with the following changes: - (Performed on NFS server)
a.       changed Nobody-{User,Group} to nfsnobody
b.       changed Domain to nfs.example.net
5)       Mkdir /nfs/ - (Performed on NFS server)
6)       Added the following to /etc/exports - (Performed on NFS server)
a.       /nfs gss/krb5p(rw,sync,fsid=0)
7)       exportfs -rv - (Performed on NFS server)
8)       Verified all relevant nfs services were stopped - (Performed on NFS server)
9)       Uncommented and made the following changes to /etc/sysconfig/nfs - (Performed on NFS server)
a.       MOUNTD_NFS_V1="no"
b.       MOUNTD_NFS_V2="no"
c.       RPCNFSDARGS="-N 2 -N 3 -U"
d.       SECURE_NFS = "yes"
10)   /etc/init.d/portmap start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs start - (Performed on NFS server)
11)   And I receive the following output when the nfs service starts:
a.       Starting RPC svcgssd: FAILED
b.       Starting NFS Services: OK
c.       Starting NFS quotas: OK
d.       Starting NFS daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
e.       NFSD: starting 90-second grace period
f.         Starting NFS mountd: OK
12)   I then checked /var/log/messages to find the following log entries:
a.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more information - No principal in keytab matches desired name
b.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'
c.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials
d.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

I seem to be stuck at this point and would appreciate your insight.

Thank you,

Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20091202/e57df663/attachment-0004.html>