I've recently switched from using k5start to gssproxy to allow my users to access NFSv4 mounts with sec=krb5, using keytabs I manage for them. I have just one service configured in gssproxy:
[service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/var/local/keytabs/%u.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0
I thought everything was working great, but now I find that I can't mount remote filesystems when gssproxy is running. If I stop gssproxy, mount works. If I change sec=krb5 to sec=sys, mount works. It seems clear that gssproxy is preventing mount from working. When I run mount -a, I get errors like this:
mount.nfs: access denied by server while mounting [...]
When I add -vvv to rpc.gssd, this is what I see in syslog (anonymized):
rpc.gssd[6512]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nfs.example.com rpc.gssd[6512]: Full hostname for 'nfs.example.com' is 'nfs.example.com' rpc.gssd[6512]: Full hostname for 'client.zz.example.com' is 'client.zz.example.com' rpc.gssd[6512]: No key table entry found for client$@AD.EXAMPLE.COM while getting keytab entry for 'client$@AD.EXAMPLE.COM' rpc.gssd[6512]: Success getting keytab entry for 'CLIENT$@AD.EXAMPLE.COM' rpc.gssd[6512]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.EXAMPLE.COM' are good until 1624541464 rpc.gssd[6512]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.EXAMPLE.COM' are good until 1624541464 rpc.gssd[6512]: creating tcp client for server nfs.example.com rpc.gssd[6512]: DEBUG: port already set to 2049 rpc.gssd[6512]: creating context with server nfs@nfs.example.com rpc.gssd[6512]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs.example.com rpc.gssd[6512]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_AD.EXAMPLE.COM for server nfs.example.com rpc.gssd[6512]: ERROR: Failed to create machine krb5 context with any credentials cache for server nfs.example.com rpc.gssd[6512]: doing error downcall
I'm running version 0.8.0, as distributed with Debian Buster (I worked around the systemd ordering cycle bug in that version by using the upstream unit file). The fileserver is run by a different group and kerberos is AD.
Googling for answers, I found others describe similar problems, but no solutions that make sense to me. Help!
John