[CentOS] Mount/automount fails with krb5-enabled nfs4
Hans Persson
hans at ifm.liu.se
Fri Oct 22 08:45:25 UTC 2010
tor 2010-10-21 klockan 10:34 -0700 skrev James A. Peltier:
> ----- Original Message -----
[...]
> Please post a copy of your /etc/* files listed above so that we might
> be able to look to make sure everything is correct. You may want to
> look at ensuring that
>
> SECURE_NFS="yes"
> RPCGSSDARGS="-vvv"
> RPCSVCGSSDARGS="-vvv"
>
> is uncommented in /etc/sysconfig/nfs
Only the first line was uncommented previously. With all three, I get
this in /var/log/messages:
> Oct 22 09:45:46 pc13287 kernel: FS-Cache: Loaded
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: handling krb5 upcall
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: Using keytab file
> '/etc/krb5.keytab'
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: INFO: Credentials in CC
> 'MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE' are good until 1287817962
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using
> MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE as credentials cache for
> machine creds
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: using environment variable to
> select krb5 ccache MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context using fsuid
> 0 (save_uid 0)
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating tcp client for
> server triangulum.ifm.liu.se
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: creating context with server
> nfs at triangulum.ifm.liu.se
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: rpcsec_gss:
> gss_init_sec_context: (major) Unspecified GSS failure. Minor
> code may provide more information - (minor) Unknown code krb5 60
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create
> krb5 context for user with uid 0 for server triangulum.ifm.liu.se
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create
> krb5 context for user with uid 0 with credentials cache
> MEMORY:/tmp/krb5cc_machine_IFM.LIU.SE for server
> triangulum.ifm.liu.se
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: WARNING: Failed to create
> krb5 context for user with uid 0 with any credentials cache for
> server triangulum.ifm.liu.se
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: doing error downcall
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt1
> Oct 22 09:45:46 pc13287 rpc.gssd[2609]: destroying client clnt0
I started tail -f on the log and then ran ssh hans at pc13287 in another
window. All the above appeared immediately, before I had entered any
password (and nothing was logged after entering the password).
> There might be others missing but we would be able to help best if we
> know the contents of these files
# grep -v '^#' /etc/sysconfig/nfs
SECURE_NFS="yes"
RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"
# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
130.236.170.165 pc13287
130.236.160.4 loghost.ifm.liu.se loghost
# cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = ifm.liu.se
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# cat /etc/krb5.conf
[libdefaults]
default_realm = IFM.LIU.SE
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
# udp_preference_limit = 0
dns_lookup_realm = false
dns_lookup_kdc = false
allow_weak_crypto = true
[realms]
IFM.LIU.SE = {
kdc = as-slave-1.ifm.liu.se
kdc = as-slave-2.ifm.liu.se
kdc = as-master.ifm.liu.se
admin_server = as-master.ifm.liu.se
}
[... other realms deleted ...]
[domain_realm]
.edu.isy.liu.se = STUDENT.LIU.SE
.edu.ifm.liu.se = STUDENT.LIU.SE
.edu.mai.liu.se = STUDENT.LIU.SE
.ad.ifm.liu.se = AD.IFM.LIU.SE
ifm.liu.se = IFM.LIU.SE
.ifm.liu.se = IFM.LIU.SE
isy.liu.se = ISY.LIU.SE
.isy.liu.se = ISY.LIU.SE
lysator.liu.se = LYSATOR.LIU.SE
.lysator.liu.se = LYSATOR.LIU.SE
.liu.se = AD.LIU.SE
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
# cat /etc/host.conf
order hosts,bind
# grep -v '^#' /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
hosts: files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files nis
publickey: nisplus
automount: files nis
aliases: files nisplus
# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ad.ifm.liu.se
nameserver 130.236.168.6
nameserver 130.236.168.7
nameserver 130.236.160.3
And while we're at it, this is how DNS looks:
# hostname
pc13287
# nslookup pc13287
Server: 130.236.168.6
Address: 130.236.168.6#53
Name: pc13287.ad.ifm.liu.se
Address: 130.236.170.165
# nslookup 130.236.170.165
Server: 130.236.168.6
Address: 130.236.168.6#53
165.170.236.130.in-addr.arpa name = pc13287.ad.ifm.liu.se.
Hans
More information about the CentOS
mailing list