Hi,
I really struggle with "permission denied" while mounting NFS share with
sec=krb5;
Both machines(Ubuntu 14.04) , NFS client and server are configured with SSSD, and
authentication seems to work (only one test user for configuration with PoSIX ids ;)
'getent passwd longina' returns correct values on both.
I joined both machines to AD with 'realmd', and additionaly created SPN
principal nfs/jota.nat.c.example.com(a)NAT.C.EXAMPLE.COM with setspn.exe on AD
and added keys to the /etc/krb5.keytab .
I expect to be able to mount NFS share with sec=krb5 as root on client using machine
credentials.
HERE some debugging output
Output on client (jedi) from 'rpc.gssd' while mounting nfs share
-----------------
doing error downcall
handling gssd upcall (/run/rpc_pipefs/nfs/clnt9)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/run/rpc_pipefs/nfs/clnt9)
process_krb5_upcall: service is '<null>'
Full hostname for 'jota.nat.c.sdu.dk' is 'jota.nat.c.sdu.dk'
Full hostname for 'jedi.nat.c.sdu.dk' is 'jedi.nat.c.sdu.dk'
Success getting keytab entry for 'JEDI$(a)NAT.C.SDU.DK'
INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until
1407542806
INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until
1407542806
using FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK
creating context using fsuid 0 (save_uid 0)
creating tcp client for server jota.nat.c.sdu.dk
DEBUG: port already set to 2049
creating context with server nfs(a)jota.nat.c.sdu.dk
WARNING: Failed to create krb5 context for user with uid 0 for server jota.nat.c.sdu.dk
WARNING: Failed to create machine krb5 context with credentials cache
FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK for server jota.n\
at.c.sdu.dk
WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for
server jota.nat.c.sdu.dk
Full hostname for 'jota.nat.c.sdu.dk' is 'jota.nat.c.sdu.dk'
Full hostname for 'jedi.nat.c.sdu.dk' is 'jedi.nat.c.sdu.dk'
Success getting keytab entry for 'JEDI$(a)NAT.C.SDU.DK'
INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until
1407542806
INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until
1407542806
using FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK
creating context using fsuid 0 (save_uid 0)
creating tcp client for server jota.nat.c.sdu.dk
DEBUG: port already set to 2049
creating context with server nfs(a)jota.nat.c.example.com
WARNING: Failed to create krb5 context for user with uid 0 for server
jota.nat.c.example.com
WARNING: Failed to create machine krb5 context with credentials cache
FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM for server jota.n\
at.c.example.com
WARNING: Failed to create machine krb5 context with any credentials cache for server
jota.nat.c.example.com
doing error downcall
destroying client /run/rpc_pipefs/nfs/clnta
destroying client /run/rpc_pipefs/nfs/clnt9
-----------
client(jedi):
hostname:
jedi
----------
root@jedi:/var/lib/sss/db# klist -c
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@jedi:/var/lib/sss/db# klist -c /tmp/krb5ccmachine_NAT.C.EXAMPLE.COM
Ticket cache:
FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM
Default principal: JEDI$(a)NAT.C.EXAMPLE.COM
Valid starting Expires Service principal
08/08/2014 16:06:46 08/09/2014 02:06:46 krbtgt/NAT.C.EXAMPLE.COM(a)NAT.C.EXAMPLE.COM
renew until 08/09/2014 16:06:46
08/08/2014 16:06:46 08/09/2014 02:06:46 nfs/jota.nat.c.example.com(a)NAT.C.EXAMPLE.COM
renew until 08/09/2014 16:06:46
root@jedi:/var/lib/sss/db# klist -ce /tmp/krb5ccmachine_NAT.C.EXAMPLE.COM
Ticket cache:
FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM
Default principal: JEDI$(a)NAT.C.EXAMPLE.COM
Valid starting Expires Service principal
08/08/2014 16:06:46 08/09/2014 02:06:46 krbtgt/NAT.C.EXAMPLE.COM(a)NAT.C.EXAMPLE.COM
renew until 08/09/2014 16:06:46, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
08/08/2014 16:06:46 08/09/2014 02:06:46 nfs/jota.nat.c.example.com(a)NAT.C.EXAMPLE.COM
renew until 08/09/2014 16:06:46, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
------------
root@jedi:/etc# klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/jedi.nat.c.example.com(a)NAT.C.EXAMPLE.COM (des-cbc-crc)
6 host/jedi.nat.c.example.com(a)NAT.C.EXAMPLE.COM (des-cbc-md5)
6 host/jedi.nat.c.example.com(a)NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/jedi.nat.c.example.com(a)NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/jedi.nat.c.example.com(a)NAT.C.EXAMPLE.COM (arcfour-hmac)
6 host/JEDI(a)NAT.C.EXAMPLE.COM (des-cbc-crc)
6 host/JEDI(a)NAT.C.EXAMPLE.COM (des-cbc-md5)
6 host/JEDI(a)NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 host/JEDI(a)NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 host/JEDI(a)NAT.C.EXAMPLE.COM (arcfour-hmac)
6 JEDI$(a)NAT.C.EXAMPLE.COM (des-cbc-crc)
6 JEDI$(a)NAT.C.EXAMPLE.COM (des-cbc-md5)
6 JEDI$(a)NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 JEDI$(a)NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
6 JEDI$(a)NAT.C.EXAMPLE.COM (arcfour-hmac)
-------------------------
Server (jota):
---------------------
hostname:
jota.nat.c.example.com
-------
root@jota:/home/alongina# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 nfs/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (des-cbc-crc)
4 nfs/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (des-cbc-md5)
4 nfs/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (arcfour-hmac)
4 nfs/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
4 nfs/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)
4 host/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (des-cbc-crc)
4 host/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (des-cbc-md5)
4 host/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)
4 host/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
4 host/jota.nat.c.sdu.dk(a)NAT.C.SDU.DK (arcfour-hmac)
4 host/JOTA(a)NAT.C.SDU.DK (des-cbc-crc)
4 host/JOTA(a)NAT.C.SDU.DK (des-cbc-md5)
4 host/JOTA(a)NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)
4 host/JOTA(a)NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
4 host/JOTA(a)NAT.C.SDU.DK (arcfour-hmac)
4 JOTA$(a)NAT.C.SDU.DK (des-cbc-crc)
4 JOTA$(a)NAT.C.SDU.DK (des-cbc-md5)
4 JOTA$(a)NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)
4 JOTA$(a)NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
4 JOTA$(a)NAT.C.SDU.DK (arcfour-hmac)
root@jota:/# ps ax | grep rpc
512 ? Ss 0:00 rpcbind
625 ? Ss 0:00 rpc.statd -L
670 ? S< 0:00 [rpciod]
769 ? Ss 0:00 rpc.idmapd
850 ? Ss 0:00 rpc.gssd
2348 ? Ss 0:00 /usr/sbin/rpc.svcgssd -vvvvvvvvvv
2350 ? Ss 0:00 /usr/sbin/rpc.mountd --manage-gids
root@jota:/home/alongina# klist -c
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
--------------
root@jota:/home/alongina# cat /etc/exports
#
/nfs *(rw,crossmnt,no_subtree_check,sec=krb5:krb5p:krb5i)
----------------
root@jota:/home/alongina# kinit -k JOTA\$(a)NAT.C.EXAMPLE.COM
---------------
root@jota:/home/alongina# klist -c
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: JOTA$(a)NAT.C.EXAMPLE.COM
Valid starting Expires Service principal
08/08/14 16:36:44 09/08/14 02:36:44 krbtgt/NAT.C.EXAMPLE.COM(a)NAT.C.EXAMPLE.COM
renew until 09/08/14 16:36:44
/var/log/syslog (rpc.svcgssd)
Aug 8 16:34:56 jota rpc.svcgssd[2348]: finished handling null request
Aug 8 16:34:56 jota rpc.svcgssd[2348]: entering poll
Aug 8 16:34:56 jota rpc.svcgssd[2348]: leaving poll
Aug 8 16:34:56 jota rpc.svcgssd[2348]: handling null request
Aug 8 16:34:56 jota rpc.svcgssd[2348]: svcgssd_limit_krb5_enctypes: Calling
gss_set_allowable_enctypes with 7 enctypes from the kernel
Aug 8 16:34:56 jota rpc.svcgssd[2348]: WARNING: gss_accept_sec_context failed
Aug 8 16:34:56 jota rpc.svcgssd[2348]: ERROR: GSS-API: error in handle_nullreq:
gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide
more information) - Wrong principal in request
Aug 8 16:34:56 jota rpc.svcgssd[2348]: sending null reply
Mange hilsner
Longina