[CentOS] [resolved ]nfs client kerberos cache

Mon Jan 13 11:27:28 UTC 2014
Darod Zyree <darodzyree at gmail.com>

2014/1/6 Darod Zyree <darodzyree at gmail.com>

> Greetings,
>
> Not sure if this is the correct mail list.
>
> I have the following test environment set up:
> - 1x ipa master = ipa1.example.com
> - 1x nfs server = nfs1.example.com
> - 1x nfs client = nfsclient1.example.com
>
> NFS version 4 is used and the appropriate Kerberos principal has been
> created in IPA:
>
> [root at nfs1 ~]# ipa service-show nfs/nfs1.example.com at EXAMPLE.COM
>
> Principal: nfs/nfs1.example.com at EXAMPLE.COM
> Keytab: True
> Managed by: nfs1.example.com
>
>
> Mounting using krb5p works:
>
> [root at nfsclient1 ~]# mount -v -t nfs -o sec=krb5p
> nfs1.example.com:/exports/homes/ /mnt
>
> mount.nfs: timeout set for Mon Jan  6 21:25:56 2014
> mount.nfs: trying text-based options
> 'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173'
> nfs1.example.com:/exports/homes/ on /mnt type nfs (rw,sec=krb5p)
>
> rpcgssd created the Kerberos cache file as indicated
> in /var/log/messages:
> rpc.gssd[2473]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1389125973
>
>
> So far so good, but then:
>
> 1) I unmount everything from nfs1, remove the nfs1.example.host, its DNS
> record(s) and service principcals.
> 2) I redeploy the nfs1.example.com and re-create the
> nfs/nfs1.example.com at EXAMPLE.COM principal
>
> 3) I try to mount the same NFS share from nfs1 on nfsclient1 I get an
> error:
> mount.nfs: trying text-based options
> 'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173'
> mount.nfs: mount(2): Operation not permitted
>
> Now I'm not an IPA or Kerberos expert but I am guessing that this
> happens because the nfsclient1 still has, and uses,
> the /tmp/krb5cc_machine_EXAMPLE.COM cache file?
> This file would have the “old” Kerberos credentials?...
>
> On the NFS server in /var/log/messages this error message is displayed:
> "rpc.svcgssd[5983]: ERROR: GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor
> code may provide more information) - Wrong principal in request"
>
> On the NFS client in /var/log/messages these messages are displayed:
> "creating context with server nfs at nfs1.example.com"
>
> "WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfs1.example.com"
>
> "WARNING: Machine cache is prematurely expired or corrupted trying to
> recreate cache for server nfs1.example.com"
>
> Restarting the rpcgssd daemon works, this action removes
> the /tmp/krb5cc_machine_EXAMPLE.COM file and upon a mount command it is
> recreated.
> However restarting the rpcgssd daemon on all NFS clients every time an
> NFS server is redeployed doesn't feel right.
>
> Anyone perhaps have an idea on what I might be doing wrong?
> Or is this by design?
>
>
>
After dicussing this with Red Hat support the best way to go about this
issue is to just restart the rpcgssd deamon on any nfs client that recently
had a mount to the re-deployed nfs server.

Restarting rpcgssd removes the /tmp/krb5cc_machine_EXAMPLE.COM file so a
new one can be created.

One other method would be to save various files (things like keytabs) and
re-use these after deployment but that turned out to be too much effort to
automate.