2014/1/6 Darod Zyree <darodzyree at gmail.com> > Greetings, > > Not sure if this is the correct mail list. > > I have the following test environment set up: > - 1x ipa master = ipa1.example.com > - 1x nfs server = nfs1.example.com > - 1x nfs client = nfsclient1.example.com > > NFS version 4 is used and the appropriate Kerberos principal has been > created in IPA: > > [root at nfs1 ~]# ipa service-show nfs/nfs1.example.com at EXAMPLE.COM > > Principal: nfs/nfs1.example.com at EXAMPLE.COM > Keytab: True > Managed by: nfs1.example.com > > > Mounting using krb5p works: > > [root at nfsclient1 ~]# mount -v -t nfs -o sec=krb5p > nfs1.example.com:/exports/homes/ /mnt > > mount.nfs: timeout set for Mon Jan 6 21:25:56 2014 > mount.nfs: trying text-based options > 'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173' > nfs1.example.com:/exports/homes/ on /mnt type nfs (rw,sec=krb5p) > > rpcgssd created the Kerberos cache file as indicated > in /var/log/messages: > rpc.gssd[2473]: INFO: Credentials in CC > 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1389125973 > > > So far so good, but then: > > 1) I unmount everything from nfs1, remove the nfs1.example.host, its DNS > record(s) and service principcals. > 2) I redeploy the nfs1.example.com and re-create the > nfs/nfs1.example.com at EXAMPLE.COM principal > > 3) I try to mount the same NFS share from nfs1 on nfsclient1 I get an > error: > mount.nfs: trying text-based options > 'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173' > mount.nfs: mount(2): Operation not permitted > > Now I'm not an IPA or Kerberos expert but I am guessing that this > happens because the nfsclient1 still has, and uses, > the /tmp/krb5cc_machine_EXAMPLE.COM cache file? > This file would have the “old” Kerberos credentials?... > > On the NFS server in /var/log/messages this error message is displayed: > "rpc.svcgssd[5983]: ERROR: GSS-API: error in handle_nullreq: > gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor > code may provide more information) - Wrong principal in request" > > On the NFS client in /var/log/messages these messages are displayed: > "creating context with server nfs at nfs1.example.com" > > "WARNING: Failed to create machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfs1.example.com" > > "WARNING: Machine cache is prematurely expired or corrupted trying to > recreate cache for server nfs1.example.com" > > Restarting the rpcgssd daemon works, this action removes > the /tmp/krb5cc_machine_EXAMPLE.COM file and upon a mount command it is > recreated. > However restarting the rpcgssd daemon on all NFS clients every time an > NFS server is redeployed doesn't feel right. > > Anyone perhaps have an idea on what I might be doing wrong? > Or is this by design? > > > After dicussing this with Red Hat support the best way to go about this issue is to just restart the rpcgssd deamon on any nfs client that recently had a mount to the re-deployed nfs server. Restarting rpcgssd removes the /tmp/krb5cc_machine_EXAMPLE.COM file so a new one can be created. One other method would be to save various files (things like keytabs) and re-use these after deployment but that turned out to be too much effort to automate.