[39246] in Kerberos
Re: cannot mount nfs share -o sec=krb5p
daemon@ATHENA.MIT.EDU (Chris Gorman)
Thu May 25 13:40:20 2023
MIME-Version: 1.0
In-Reply-To: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>
From: Chris Gorman <chrisjohgorman@gmail.com>
Date: Thu, 25 May 2023 13:35:12 -0400
Message-ID: <CAHVeOW9v_T=1zSb5iPxD8=CraKJZhrYToX_Wrxw4EMZH6MWbNQ@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Again,
Please disregard this request for help as being persistent has allowed
me to fix my problem. I needed to rebuild the following packages to
get nfs mounting working.
nfs-utils
krb5
gssproxy
cyrus-sasl
Once these were built to recognise each other, my problem disappeared.
Thanks for your time.
Chris
On Tue, May 23, 2023 at 8:30 PM Chris Gorman <chrisjohgorman@gmail.com> wrote:
>
> Hello list,
>
> I am trying to build a linux from scratch system with nfs4 and
> kerberos. Somewhere along the lines I have deviated from what distros
> like arch linux have done as I can't mount an nfs share with anything
> but -o sec=sys. I have tried to follow arch's build scripts for
> nfs-utils-2.6.3 and gssproxy-0.9.1. Both are installed and working as
> far as I can tell. I may yet need to rebuild a package due to
> circular dependencies. I don't know if this is my problem, or if it
> lies elsewhere.
>
> I have successfully set up a krb5 server on one of my arch systems,
> but want to have the service running on LFS.
>
> So I have two machines at the moment, server and client at domain
> example.com with realm EXAMPLE.COM. The client is an arch linux
> system and was the previous server. I could get nfs shares mounted
> when I had the arch system as the server. I can no longer mount
> shares as when using the LFS machine as the server.
>
> I have tried turning on nfs debugging with rpcdebug and the attached
> files are the relevant output from journalctl. The client's log is
> attached as client.log and the server's log is server.log. The logs
> are logs of a mount call from the client to the server.
>
> sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs
>
> This call produces the following output.
>
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting server.example.com:/home
> mount.nfs4: timeout set for Tue May 23 19:03:05 2023
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'
>
> My kerberos information follows
>
> Client's krb5.conf
> -----------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
> encrypt = true
>
> [realms]
> EXAMPLE.COM = {
> admin_server = server.example.com
> kdc = server.example.com
>
> pkinit_anchors = FILE:/etc/krb5/cacert.pem
> pkinit_identity =
> FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
> [logging]
> kdc = SYSLOG:NOTICE
> admin_server = SYSLOG:NOTICE
> default = SYSLOG:NOTICE
>
> Server's krb5.conf
> ------------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
> encrypt = true
>
> [realms]
> EXAMPLE.COM = {
> admin_server = server.example.com
> kdc = server.example.com
>
> kdc_tcp_ports = 88
> allow_pkinit = yes
> pkinit_identity =
> FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
> pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
> [logging]
> kdc = SYSLOG:NOTICE
> admin_server = SYSLOG:NOTICE
> default = SYSLOG:NOTICE
>
> Server's kdc.conf
> -----------------------
> [kdcdefaults]
> kdc_listen = 88
> kdc_tcp_listen = 88
> spake_preauth_kdc_challenge = edwards25519
>
> [realms]
> EXAMPLE.COM = {
> database_name = /var/lib/krb5kdc/principal
> acl_file = /var/lib/krb5kdc/kadm5.acl
> key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
> kdc_listen = 88
> kdc_tcp_listen = 88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> }
>
> Client's keytab
> -------------------
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 3 host/server.example.com@EXAMPLE.COM
> 3 host/server.example.com@EXAMPLE.COM
> 3 nfs/server.example.com@EXAMPLE.COM
> 3 nfs/server.example.com@EXAMPLE.COM
> 3 nfs/client.example.com@EXAMPLE.COM
> 3 nfs/client.example.com@EXAMPLE.COM
>
> /etc/resolv.conf
> --------------
> domain example.com
> nameserver 192.168.0.1
> nameserver 8.8.8.8
>
> /etc/hosts
> -------------
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> If someone has a moment, could you look at the logs and tell me if
> anything jumps out at you as my problem?
>
> Thanks in advance,
>
> Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
