[CentOS] Kerberos + NFSv4 difficulties

Thu Dec 3 20:36:07 UTC 2009
Dan Burkland <dburklan at NMDP.ORG>

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Dan Burkland
Sent: Thursday, December 03, 2009 11:44 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Miguel Di Ciurcio Filho
Sent: Thursday, December 03, 2009 5:37 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

Dan Burkland wrote:
> 
> d.       SECURE_NFS = "yes"
> 

Uncomment this lines for a more much more verbose logging in 
/etc/sysconfig/nfs:

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

> 
> a.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in 
> gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide 
> more information - No principal in keytab matches desired name
> 
> b.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain 
> credentials for 'nfs'
> 
> c.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root 
> (machine) credentials
> 
> d.       Dec  2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab 
> entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
> 

Double check your /etc/krb5.keytab. On the server it must have the 
nfs/server.exemple.net key and on the client it must have 
nfs/client.exemple.net.


In idmapd.conf, leave it as the default:
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

Believe me, I've tried to understand[1] why Domain must be "localdomain" 
but I've no been lucky.

Regards,

Miguel

[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help!
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I finally figured out what the heck was causing the problem, it was the following line in my /etc/hosts file:
127.0.0.1	localhost localhost.localdomain nfs.example.net nfs

Once I removed the "nfs.example.net" & "nfs" entries the rpc.svcgssd service started fine. 

Regards,

Dan