Hi all, I have a setup with two servers running CenOS 7.6 which I updated recently to ipa-server-4.6.4-10.el7.centos.6.x86_64. The update apparently completed successfully and after that I went through the update of several clients (ipa-client-4.6.4-10.el7.centos.6.x86_64) some of which export kerberized nfs shares. However, after the upgrade, the nfs shares are not accessible neither by other clients nor by servers. I don't know if it's a coincidence, but I can access only shares exported by a non-upgraded client. When trying to mount by hand from server (:fidias) with admin credentials I receive:
[root@fidias]# mount -t nfs4 -o sec=krb5 medusa:/export/teras /teras mount.nfs4: access denied by server while mounting medusa:/export/teras
[root@fidias]# ipa-getkeytab -r -s fidias.geo.auth.gr -p nfs/medusa.geo.auth.gr -k medusa-nfs.keytab Failed to parse result: Insufficient access rights
Failed to get keytab
[root@fidias]# KRB5_TRACE=/dev/stderr kinit -k -t /etc/krb5.keytab nfs/medusa.geo.auth.gr [26055] 1567693076.930983: Resolving unique ccache of type KEYRING [26055] 1567693076.930984: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930985: Looked up etypes in keytab: (empty) [26055] 1567693076.930986: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930987: Looked up etypes in keytab: (empty) kinit: Keytab contains no suitable keys for nfs/medusa.geo.auth.gr@GEO.SS.LAN while getting initial credentials
How can this be fixed? Thanks in advance, Petros
Petros Triantafyllidis via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi all, I have a setup with two servers running CenOS 7.6 which I updated recently to ipa-server-4.6.4-10.el7.centos.6.x86_64. The update apparently completed successfully and after that I went through the update of several clients (ipa-client-4.6.4-10.el7.centos.6.x86_64) some of which export kerberized nfs shares. However, after the upgrade, the nfs shares are not accessible neither by other clients nor by servers. I don't know if it's a coincidence, but I can access only shares exported by a non-upgraded client. When trying to mount by hand from server (:fidias) with admin credentials I receive:
[root@fidias]# mount -t nfs4 -o sec=krb5 medusa:/export/teras /teras mount.nfs4: access denied by server while mounting medusa:/export/teras
[root@fidias]# ipa-getkeytab -r -s fidias.geo.auth.gr -p nfs/medusa.geo.auth.gr -k medusa-nfs.keytab Failed to parse result: Insufficient access rights
Failed to get keytab
[root@fidias]# KRB5_TRACE=/dev/stderr kinit -k -t /etc/krb5.keytab nfs/medusa.geo.auth.gr [26055] 1567693076.930983: Resolving unique ccache of type KEYRING [26055] 1567693076.930984: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930985: Looked up etypes in keytab: (empty) [26055] 1567693076.930986: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930987: Looked up etypes in keytab: (empty) kinit: Keytab contains no suitable keys for nfs/medusa.geo.auth.gr@GEO.SS.LAN while getting initial credentials
What's the kvno and enctypes for the keytab? Do the match that of the service?
klist -ekt /path/to/keytab, kvno nfs/medusa.geo.auth.gr
Thanks, --Robbie
On 9/6/19 9:20 PM, Robbie Harwood via FreeIPA-users wrote:
Petros Triantafyllidis via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi all, I have a setup with two servers running CentOS 7.6 which I updated recently to ipa-server-4.6.4-10.el7.centos.6.x86_64. The update apparently completed successfully and after that I went through the update of several clients (ipa-client-4.6.4-10.el7.centos.6.x86_64) some of which export kerberized nfs shares. However, after the upgrade, the nfs shares are not accessible neither by other clients nor by servers. I don't know if it's a coincidence, but I can access only shares exported by a non-upgraded client. When trying to mount by hand from server (:fidias) with admin credentials I receive:
[root@fidias]# mount -t nfs4 -o sec=krb5 medusa:/export/teras /teras mount.nfs4: access denied by server while mounting medusa:/export/teras
[root@fidias]# ipa-getkeytab -r -s fidias.geo.auth.gr -p nfs/medusa.geo.auth.gr -k medusa-nfs.keytab Failed to parse result: Insufficient access rights
Failed to get keytab
[root@fidias]# KRB5_TRACE=/dev/stderr kinit -k -t /etc/krb5.keytab nfs/medusa.geo.auth.gr [26055] 1567693076.930983: Resolving unique ccache of type KEYRING [26055] 1567693076.930984: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930985: Looked up etypes in keytab: (empty) [26055] 1567693076.930986: Getting initial credentials for nfs/medusa.geo.auth.gr@GEO.SS.LAN [26055] 1567693076.930987: Looked up etypes in keytab: (empty) kinit: Keytab contains no suitable keys for nfs/medusa.geo.auth.gr@GEO.SS.LAN while getting initial credentials
What's the kvno and enctypes for the keytab? Do the match that of the service?
klist -ekt /path/to/keytab, kvno nfs/medusa.geo.auth.gr
Thanks, --Robbie
Thanks for responding Robbie, keytab is the default one and the kvno differs:
[root@medusa]# klist -ekt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/15/2017 09:16:12 host/medusa.geo.auth.gr@GEO.SS.LAN (aes256-cts-hmac-sha1-96) 1 07/15/2017 09:16:12 host/medusa.geo.auth.gr@GEO.SS.LAN (aes128-cts-hmac-sha1-96) 1 07/15/2017 09:29:44 nfs/medusa.geo.auth.gr@GEO.SS.LAN (aes256-cts-hmac-sha1-96) 1 07/15/2017 09:29:44 nfs/medusa.geo.auth.gr@GEO.SS.LAN (aes128-cts-hmac-sha1-96)
[root@medusa]# kvno nfs/medusa.geo.auth.gr nfs/medusa.geo.auth.gr@GEO.SS.LAN: kvno = 3
On my attempts to fix the problem, I followed the steps below but I am not sure if I did everything as I should. However, the nfs worked after that:
[root@medusa]# kinit admin [root@medusa]# mv /etc/krb5.keytab /etc/krb5.keytab.orig [root@medusa]# ipa-getkeytab -p host/medusa.geo.auth.gr -s fidias.geo.auth.gr -k /etc/krb5.keytab [root@medusa]# ipa-getkeytab -p nfs/medusa.geo.auth.gr -s fidias.geo.auth.gr -k /etc/krb5.keytab [root@medusa]# systemctl restart sssd
Thanks again, Petros
freeipa-users@lists.fedorahosted.org
-
Petros Triantafyllidis -
Robbie Harwood