[29683] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: NFS IO on kerberized export failing with permission denied error

daemon@ATHENA.MIT.EDU (parinay)
Tue Apr 15 09:49:37 2008

Message-ID: <ea2ed4af0804150415u1175d256ya5cd723738259325@mail.gmail.com>
Date: Tue, 15 Apr 2008 16:45:34 +0530
From: parinay <parinay@gmail.com>
To: kerberos@mit.edu
In-Reply-To: <ea2ed4af0804140326j7f235c78qbcf3ce1048f33119@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi,

Can anybody help in this please?
-          All machines in talk are in time sync

-          All machines are reachable with their FQDN

-          Kinit/kadmin –p to KDC server is working fine. So I guess there
is no problem in these two i.e. KDC client and KDC sever though I could be

            wrong here

-          I am not able to understand what's the problem here, as the
princiapal/keytab for filer is in place.







*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: ERROR: can't open clnt54: No such
file or directory *

* *

*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: WARNING: Failed to obtain machine
credentials for connection to server
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com *

Thanks & regards

 Parinay





 Logs to better explain my problem

*Linux Client*


[root@kc4b1-e0 ~]# uname -a

Linux kc4b1-e0 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

[root@kc4b1-e0 ~]#

* *

*CLIENT KEYTAB*

[root@kc4b1-e0 ~]# klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   3 root/kc4b1-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM

   3 nfs/kc4b1-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM


[root@kc4b1-e0 ~]# kinit

Password for root/admin@NAS.SSQA.RTP.NETAPP.COM:

[root@kc4b1-e0 ~]#

[root@kc4b1-e0 ~]# mount -o sec=krb5
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com:/vol/vol1/ /mnt/

[root@kc4b1-e0 ~]# cd /mnt/

-bash: cd: /mnt/: Permission denied


[root@kc4b1-e0 ~]# tail /var/log/messages

Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: ERROR: can't open clnt54: No such
file or directory

*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: WARNING: Failed to obtain machine
credentials for connection to server
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com *

[root@kc4b1-e0 ~]#


*NETAPP Filer keytab*

[root@kc1b8-e0 ~]# klist -k /tmp/6080.keytab

 Keytab name: FILE:/tmp/6080.keytab



KVNO Principal



----
--------------------------------------------------------------------------



   3 nfs/rtpqa-fas6080-7.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM



   3 nfs/rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM



[root@kc1b8-e0 ~]#







*NETAPP Filer kerb options*



options nfs.kerb



nfs.kerberos.enable          on



nfs.kerberos.file_keytab.enable off



options kerb



kerberos.file_keytab.enable  off



kerberos.file_keytab.principal rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com



kerberos.file_keytab.realm   NAS.SSQA.RTP.NETAPP.COM



kerberos.replay_cache.enable off



*NFS SERVER Exports*



 /vol/vol1       -sec=krb5,rw,anon=0

*KDC*



[root@kc1b8-e0 ~]# uname -a

Linux kc1b8-e0 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

[root@kc1b8-e0 ~]#




On Mon, Apr 14, 2008 at 3:56 PM, parinay <parinay@gmail.com> wrote:

> Hi,
>
> I am failing to do NFS io on a volume with sec=krb5. The logs are below,
> to give you an exact idea.
>
> -All clients and KDC are in time sync
>
> -Every machine is reachable with hostname.
>
> -kinit/kadmin works from client
>
> -mount works but cd/ls fails on mounted path
>
> -KDC -2.6.18-8.1.3.el5
>
> -client-SunOS kc1b6 5.10 Generic_118855-33 i86pc i386 i86pc
>
> -NFS exports from - Netapp filer
>
>
> exportfs
> /vol/vol1       -sec=krb5,rw,anon=0
>
> options nfs.kerb
> nfs.kerberos.enable          on
> nfs.kerberos.file_keytab.enable on
> nfs.kerberos.principal       rtpqa-fas6080-7.rtp.netapp.com
> nfs.kerberos.realm           NAS.SSQA.RTP.NETAPP.COM
> options kerb
> kerberos.file_keytab.enable  on
> kerberos.file_keytab.principal rtpqa-fas6080-7.rtp.netapp.com
> kerberos.file_keytab.realm   NAS.SSQA.RTP.NETAPP.COM
> kerberos.replay_cache.enable off
>
> kadmin.local
> Authenticating as principal root/admin@NAS.SSQA.RTP.NETAPP.COM with
> password.
> kadmin.local:  listprincs
> K/M@NAS.SSQA.RTP.NETAPP.COM
> changepw/kc1b8-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> kadmin/admin@NAS.SSQA.RTP.NETAPP.COM
> kadmin/changepw@NAS.SSQA.RTP.NETAPP.COM
> kadmin/history@NAS.SSQA.RTP.NETAPP.COM
> kadmin/kc1b8-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> kiprop/kc1b8-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> krbtgt/NAS.SSQA.RTP.NETAPP.COM@NAS.SSQA.RTP.NETAPP.COM
> nfs/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> nfs/rtpqa-fas3170-9-vif1.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> nfs/rtpqa-fas6080-7.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> parinay/admin@NAS.SSQA.RTP.NETAPP.COM
> parinay/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> root/admin@NAS.SSQA.RTP.NETAPP.COM
> root/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> kadmin.local:
>
> klist -k /tmp/6080.keytab
> Keytab name: FILE:/tmp/6080.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 nfs/rtpqa-fas6080-7.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
> # klist -k /tmp/kc1b6.keytab
> Keytab name: FILE:/tmp/kc1b6.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 root/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
>    3 parinay/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
>    3 nfs/kc1b6-e0.nas.ssqa.rtp.netapp.com@NAS.SSQA.RTP.NETAPP.COM
>
> bash-3.00# cd /mnt/krb
> bash: cd: /mnt/krb: Permission denied
> bash-3.00#mount
>
> /mnt/krb on rtpqa-fas6080-7:/vol/vol1
> remote/read/write/setuid/devices/vers=3/sec=krb5/xattr/dev=4700013 on Mon
> Apr 14 05:34:27 2008
>
>
> --
> easy is right
> begin right and you're easy
> continue easy and you're right
> the right way to go easy is to forget the right way
> and forget that the going is easy....
>



-- 
easy is right
begin right and you're easy
continue easy and you're right
the right way to go easy is to forget the right way
and forget that the going is easy....
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[29683] in Kerberos

Re: NFS IO on kerberized export failing with permission denied error

daemon@ATHENA.MIT.EDU (parinay)Tue Apr 15 09:49:37 2008

daemon@ATHENA.MIT.EDU (parinay)
Tue Apr 15 09:49:37 2008
