Please provide your smb.conf and krb5.conf files as well. BTW: the createupn is not required on Win2K8R2 as this credential is passed now (according to MS) ----- Original Message ----- | Hi, | | I'm trying to set up NFSv4 on two boxes (centos 5.5) and have it | authenticate against our Windows 2008R2 AD server acting as the KDC. | (samba/winbind is running ok with "idmap config MYCOMPANY: backend = | rid" | so we have identical ids across the servers.) | | I can mount my test directory fine via NFSv4 *without* the sec=krb5 | option. | However, once I put the sec=krb5 option in, then I get a mount | error: | "mount.nfs4: Permission denied" and rpc.gssd reports: "Failed to | obtain | machine credentials for connection to server" | | The computers have an AD computer account and for the | service-principal, I | created an AD user account "nfsHostname" and mapped the UPN e.g. NFS/ | hostname.mycompany.tv at MYCOMPANY.TV to it using ktpass. | | This is the closest post similar to my issue I could find: | http://lists.centos.org/pipermail/centos/2010-July/096378.html | However, | I'm trying not to run the createupn command via smbutils. | Side note: | Eventually we will also be using a HDS nas which doesn't provide us | with | samba net utils (e.g. net ads join createupn) only their proprietary | webadmin/cli. When that nas joined our AD domain, it created a | computer | account with SPNs of HOST/HOSTNAME, HOST/hostname.MYCOMPANY.TV and a | UPN of | HOST/hostname.mycompany.tv at MYCOMPANY.TV And the HDS nas only wants | encryption type: des-cbc-crc:normal. This is why on my test nfs | server | (nas002), I'm trying to use the same limited commands as I would if I | were | using the HDS nas. | | Any suggestions where to look next or get more verbose info from | kerberos/KDC or the nfs server? (nothing shows up in either syslog | -- | plus, I'm not all that familiar with kerberos.) | | thanks in advance! | JA. | | | | info: | 10.100.1.11 KDC server (Windows 2008 R2, AD) | 10.100.1.35 bk001 (nfsv4 client, kernel 2.6.18-194.32.1.el5) | 10.100.1.82 nas002 (nfsv4 server, kernel 2.6.18-194.32.1.el5) | 10.100.1.99 monitoring server | | intsalled on both nfsv4 client and server: | nfs-utils.x86_64 1.0.9-60.el5 | nfs-utils-lib.x86_64 1.0.8-7.9.el5 | nfs4-acl-tools.x86_64 0.3.3-3.el5 | krb5-workstation.x86_64 1.6.1-70.el5 | samba (nas002) 3.3.8-0.52.el5_5.2 | samba (bk001) 3.5.10-0.107.el5 | | | | [root at bk001 ~]# net ads testjoin | Join is OK | | [root at bk001 ~]# kinit administrator at MYCOMPANY.TV | Password for administrator at MYCOMPANY.TV: | | [root at bk001 ~]# kinit nfs/nas002.mycompany.tv at MYCOMPANY.TV | Password for nfs/nas002.mycompany.tv at MYCOMPANY.TV: | | [root at bk001 ~]# klist | Ticket cache: FILE:/tmp/krb5cc_0 | Default principal: nfs/nas002.mycompany.tv at MYCOMPANY.TV | | Valid starting Expires Service principal | 04/13/12 16:08:51 04/14/12 02:08:51 | krbtgt/MYCOMPANY.TV at MYCOMPANY.TV | renew until 04/16/12 16:08:51 | | | Kerberos 4 ticket cache: /tmp/tkt0 | klist: You have no tickets cached | | | [root at bk001 ~]# showmount -e nas002.mycompany.tv | Export list for nas002.mycompany.tv: | /array gss/krb5,* | | | [root at bk001 ~]# mount -v -t nfs4 -o proto=tcp,sec=krb5 | nas002.mycompany.tv:/ | /mnt/nfs4test | Warning: rpc.idmapd appears not to be running. | All uids will be mapped to the nobody uid. | Warning: rpc.gssd appears not to be running. | mount: pinging: prog 100003 vers 4 prot tcp port 2049 | mount.nfs4: Permission denied | | [root at bk001 ~]# ps -elf | egrep 'gss|idmap' | 1 S root 2498 1 0 75 0 - 8016 - Apr12 ? | 00:00:00 | rpc.gssd -rrrvvvv | 1 S root 4575 1 0 76 0 - 14833 - Apr12 ? | 00:00:00 | rpc.idmapd -vvv | | | [root at bk001 ~]# tail /var/log/messages | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: New client: 16 | Apr 13 16:09:09 bk001 rpc.gssd[2498]: handling krb5 upcall | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: New client: 17 | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: Opened | /var/lib/nfs/rpc_pipefs/nfs/clnt16/idmap | Apr 13 16:09:09 bk001 rpc.gssd[2498]: Using keytab file | '/etc/krb5.keytab' | Apr 13 16:09:09 bk001 rpc.gssd[2498]: WARNING: Failed to obtain | machine | credentials for connection to server nas002.mycompany.tv | Apr 13 16:09:09 bk001 rpc.gssd[2498]: doing error downcall | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: Stale client: 16 | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: -> closed | /var/lib/nfs/rpc_pipefs/nfs/clnt16/idmap | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: Stale client: 17 | Apr 13 16:09:09 bk001 rpc.idmapd[4575]: -> closed | /var/lib/nfs/rpc_pipefs/nfs/clnt17/idmap | Apr 13 16:09:09 bk001 rpc.gssd[2498]: destroying client clnt17 | Apr 13 16:09:09 bk001 rpc.gssd[2498]: destroying client clnt16 | | | | tshark capture of commands I performed (above): | [root at bk001 ~]# cat /var/tmp/tshark_041312-1608.out | 366 9.948504 10.100.1.35 -> 10.100.1.11 TCP 42564 > kerberos | [SYN] | Seq=0 Win=5840 Len=0 MSS=1460 TSV=86719599 TSER=0 WS=7 | 367 9.948813 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42564 | [SYN, ACK] | Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 TSV=396813568 TSER=86719599 | 368 9.948824 10.100.1.35 -> 10.100.1.11 TCP 42564 > kerberos | [ACK] | Seq=1 Ack=1 Win=5840 Len=0 TSV=86719599 TSER=396813568 | 369 9.948849 10.100.1.35 -> 10.100.1.11 KRB5 AS-REQ | 370 9.949976 10.100.1.11 -> 10.100.1.35 KRB5 KRB Error: | KRB5KDC_ERR_PREAUTH_REQUIRED | 371 9.949982 10.100.1.35 -> 10.100.1.11 TCP 42564 > kerberos | [ACK] | Seq=181 Ack=154 Win=6432 Len=0 TSV=86719600 TSER=396813568 | 372 9.950031 10.100.1.35 -> 10.100.1.11 TCP 42564 > kerberos | [FIN, ACK] | Seq=181 Ack=154 Win=6432 Len=0 TSV=86719600 TSER=396813568 | 373 9.950288 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42564 | [ACK] | Seq=154 Ack=182 Win=65160 Len=0 TSV=396813568 TSER=86719600 | 374 9.950297 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42564 | [RST, ACK] | Seq=154 Ack=182 Win=0 Len=0 | 444 11.840921 10.100.1.35 -> 10.100.1.11 TCP 42565 > kerberos | [SYN] | Seq=0 Win=5840 Len=0 MSS=1460 TSV=86721491 TSER=0 WS=7 | 446 11.841178 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42565 | [SYN, ACK] | Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 TSV=396813757 TSER=86721491 | 447 11.841185 10.100.1.35 -> 10.100.1.11 TCP 42565 > kerberos | [ACK] | Seq=1 Ack=1 Win=5840 Len=0 TSV=86721491 TSER=396813757 | 448 11.841206 10.100.1.35 -> 10.100.1.11 KRB5 AS-REQ | 449 11.842812 10.100.1.11 -> 10.100.1.35 TCP [TCP segment of a | reassembled PDU] | 450 11.842817 10.100.1.35 -> 10.100.1.11 TCP 42565 > kerberos | [ACK] | Seq=259 Ack=1449 Win=8688 Len=0 TSV=86721493 TSER=396813757 | 451 11.842819 10.100.1.11 -> 10.100.1.35 KRB5 AS-REP | 452 11.842822 10.100.1.35 -> 10.100.1.11 TCP 42565 > kerberos | [ACK] | Seq=259 Ack=1518 Win=8688 Len=0 TSV=86721493 TSER=396813757 | 453 11.842852 10.100.1.35 -> 10.100.1.11 TCP 42565 > kerberos | [FIN, ACK] | Seq=259 Ack=1518 Win=8688 Len=0 TSV=86721493 TSER=396813757 | 454 11.843043 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42565 | [ACK] | Seq=1518 Ack=260 Win=65160 Len=0 TSV=396813758 TSER=86721493 | 455 11.843050 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42565 | [RST, ACK] | Seq=1518 Ack=260 Win=0 Len=0 | 827 21.821693 10.100.1.35 -> 10.100.1.11 TCP 42566 > kerberos | [SYN] | Seq=0 Win=5840 Len=0 MSS=1460 TSV=86731472 TSER=0 WS=7 | 828 21.821920 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42566 | [SYN, ACK] | Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 TSV=396814755 TSER=86731472 | 829 21.821930 10.100.1.35 -> 10.100.1.11 TCP 42566 > kerberos | [ACK] | Seq=1 Ack=1 Win=5840 Len=0 TSV=86731472 TSER=396814755 | 830 21.821958 10.100.1.35 -> 10.100.1.11 KRB5 AS-REQ | 831 21.822968 10.100.1.11 -> 10.100.1.35 KRB5 AS-REP | 832 21.822974 10.100.1.35 -> 10.100.1.11 TCP 42566 > kerberos | [ACK] | Seq=191 Ack=618 Win=6787 Len=0 TSV=86731473 TSER=396814756 | 833 21.823003 10.100.1.35 -> 10.100.1.11 TCP 42566 > kerberos | [FIN, ACK] | Seq=191 Ack=618 Win=6787 Len=0 TSV=86731473 TSER=396814756 | 835 21.823278 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42566 | [ACK] | Seq=618 Ack=192 Win=65160 Len=0 TSV=396814756 TSER=86731473 | 836 21.823287 10.100.1.11 -> 10.100.1.35 TCP kerberos > 42566 | [RST, ACK] | Seq=618 Ack=192 Win=0 Len=0 | 1472 39.980317 10.100.1.35 -> 10.100.1.82 TCP 40520 > nfs [SYN] | Seq=0 | Win=5840 Len=0 MSS=1460 TSV=86749629 TSER=0 WS=7 | 1473 39.980491 10.100.1.82 -> 10.100.1.35 TCP nfs > 40520 [SYN, | ACK] | Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3789493491 TSER=86749629 WS=7 | 1474 39.980498 10.100.1.35 -> 10.100.1.82 TCP 40520 > nfs [ACK] | Seq=1 | Ack=1 Win=5888 Len=0 TSV=86749631 TSER=3789493491 | 1475 39.980533 10.100.1.35 -> 10.100.1.82 NFS V4 NULL Call | 1476 39.980701 10.100.1.82 -> 10.100.1.35 TCP nfs > 40520 [ACK] | Seq=1 | Ack=45 Win=5888 Len=0 TSV=3789493492 TSER=86749631 | 1477 39.980705 10.100.1.82 -> 10.100.1.35 NFS V4 NULL Reply (Call | In | 1475) | 1478 39.980707 10.100.1.35 -> 10.100.1.82 TCP 40520 > nfs [ACK] | Seq=45 | Ack=29 Win=5888 Len=0 TSV=86749631 TSER=3789493492 | 1479 39.980733 10.100.1.35 -> 10.100.1.82 TCP 40520 > nfs [FIN, | ACK] | Seq=45 Ack=29 Win=5888 Len=0 TSV=86749631 TSER=3789493492 | 1480 39.980896 10.100.1.82 -> 10.100.1.35 TCP nfs > 40520 [FIN, | ACK] | Seq=29 Ack=46 Win=5888 Len=0 TSV=3789493492 TSER=86749631 | 1481 39.980901 10.100.1.35 -> 10.100.1.82 TCP 40520 > nfs [ACK] | Seq=46 | Ack=30 Win=5888 Len=0 TSV=86749631 TSER=3789493492 | 1482 40.001039 10.100.1.35 -> 10.100.1.82 TCP connendp > nfs [SYN] | Seq=0 | Win=5840 Len=0 MSS=1460 TSV=86749651 TSER=0 WS=7 | 1483 40.001210 10.100.1.82 -> 10.100.1.35 TCP nfs > connendp [SYN, | ACK] | Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3789493512 TSER=86749651 WS=7 | 1484 40.001221 10.100.1.35 -> 10.100.1.82 TCP connendp > nfs [ACK] | Seq=1 | Ack=1 Win=5888 Len=0 TSV=86749651 TSER=3789493512 | 1485 40.001244 10.100.1.35 -> 10.100.1.82 NFS V4 NULL Call | 1486 40.001409 10.100.1.82 -> 10.100.1.35 TCP nfs > connendp [ACK] | Seq=1 | Ack=45 Win=5888 Len=0 TSV=3789493512 TSER=86749651 | 1487 40.001414 10.100.1.82 -> 10.100.1.35 NFS V4 NULL Reply (Call | In | 1485) | 1488 40.001418 10.100.1.35 -> 10.100.1.82 TCP connendp > nfs [ACK] | Seq=45 Ack=29 Win=5888 Len=0 TSV=86749652 TSER=3789493512 | 1489 40.002363 10.100.1.35 -> 10.100.1.82 TCP connendp > nfs [FIN, | ACK] | Seq=45 Ack=29 Win=5888 Len=0 TSV=86749653 TSER=3789493512 | 1490 40.002526 10.100.1.82 -> 10.100.1.35 TCP nfs > connendp [FIN, | ACK] | Seq=29 Ack=46 Win=5888 Len=0 TSV=3789493513 TSER=86749653 | 1491 40.002532 10.100.1.35 -> 10.100.1.82 TCP connendp > nfs [ACK] | Seq=46 Ack=30 Win=5888 Len=0 TSV=86749653 TSER=3789493513 | 1493 40.002880 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: New client: 16\n | 1497 40.003611 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: handling krb5 upcall \n | 1498 40.004069 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: New client: 17\n | 1499 40.004489 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt16/idmap\n | 1500 40.004949 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: Using keytab file '/etc/krb5.keytab' \n | 1501 40.005369 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: WARNING: Failed to obtain machine credentials for | connection to server nas002.mycompany.tv \n | 1502 40.005829 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: doing error downcall \n | 1503 40.012862 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: Stale client: 16\n | 1504 40.013326 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: \t-> closed | /var/lib/nfs/rpc_pipefs/nfs/clnt16/idmap\n | 1505 40.013740 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: Stale client: 17\n | 1506 40.014157 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.WARNING: | rpc.idmapd[4575]: \t-> closed | /var/lib/nfs/rpc_pipefs/nfs/clnt17/idmap\n | 1507 40.014621 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: destroying client clnt17 \n | 1508 40.015082 10.100.1.35 -> 10.100.1.99 Syslog DAEMON.ERR: | rpc.gssd[2498]: destroying client clnt16 \n | [root at bk001 ~]# | _______________________________________________ | CentOS mailing list | CentOS at centos.org | http://lists.centos.org/mailman/listinfo/centos | -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier Success is to be measured not so much by the position that one has reached in life but as by the obstacles they have overcome. - Booker T. Washington