Linux client kerberos problem with attempted nfsv4 connection... - Kerberos

This is a discussion on Linux client kerberos problem with attempted nfsv4 connection... - Kerberos ; I'm trying to create a krb5 authenticated nfsv4 connection from a Linux Fedora core 3 client to a NetApp filer server. The trick is, the NetApp is running kerbors connected to a Windows AD KDC... I've created a keytab for ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Linux client kerberos problem with attempted nfsv4 connection...

  1. Linux client kerberos problem with attempted nfsv4 connection...


    I'm trying to create a krb5 authenticated nfsv4 connection from a Linux
    Fedora core 3 client to a NetApp filer server.

    The trick is, the NetApp is running kerbors connected to a Windows AD
    KDC...

    I've created a keytab for the client with a principal of:

    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    4 nfs/client.bu.edu@AD.BU.EDU


    On the client a mount attempt gives

    client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share
    /mnt/unix_share
    mount: block device server.bu.edu:/vol/unix_share is write-protected,
    mounting read-only
    mount: cannot mount block device server.bu.edu:/vol/unix_share read-only

    Mounting without the -o sec=krb5 works fine.

    Heres where I need help... I get the following suspicous messages in
    /var/log/messages:

    May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
    requested realm while getting initial ticket for principal
    'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'

    and

    May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain
    machine credentials for connection to server server.bu.edu

    The first one is wierd as I have krb5.conf set up, have joined the domain
    with samba, and can kinit an AD account just fine.

    I've googled these errors with no luck. I'm also working with nfsv4 and
    netapp people on it, but I thought I would give this list a try as well.

    Anyone have any ideas?

    Thanks!

    -Jeff


    -----------------------------------------------------------
    Jeffrey Albro | Systems Administrator | Boston University
    - Department of Electrical and Computer Engineering -
    jalbro@bu.edu | Photonics, Room 305 | 617-358-2785
    -----------------------------------------------------------


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Linux client kerberos problem with attempted nfsv4 connection...

    Hi,

    > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
    > requested realm while getting initial ticket for principal
    > 'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'


    The above error could be a key to the problem.Can you please post the
    krb5.conf? Also verify that the KDC is being resolved correctly to full
    qualified domain name correctly.

    = Ram Marti


    Jeffrey C Albro wrote:
    > I'm trying to create a krb5 authenticated nfsv4 connection from a Linux
    > Fedora core 3 client to a NetApp filer server.
    >
    > The trick is, the NetApp is running kerbors connected to a Windows AD
    > KDC...
    >
    > I've created a keytab for the client with a principal of:
    >
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Principal
    > ----
    > --------------------------------------------------------------------------
    > 4 nfs/client.bu.edu@AD.BU.EDU
    >
    >
    > On the client a mount attempt gives
    >
    > client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share
    > /mnt/unix_share
    > mount: block device server.bu.edu:/vol/unix_share is write-protected,
    > mounting read-only
    > mount: cannot mount block device server.bu.edu:/vol/unix_share read-only
    >
    > Mounting without the -o sec=krb5 works fine.
    >
    > Heres where I need help... I get the following suspicous messages in
    > /var/log/messages:
    >
    > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
    > requested realm while getting initial ticket for principal
    > 'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
    >
    > and
    >
    > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain
    > machine credentials for connection to server server.bu.edu
    >
    > The first one is wierd as I have krb5.conf set up, have joined the domain
    > with samba, and can kinit an AD account just fine.
    >
    > I've googled these errors with no luck. I'm also working with nfsv4 and
    > netapp people on it, but I thought I would give this list a try as well.
    >
    > Anyone have any ideas?
    >
    > Thanks!
    >
    > -Jeff
    >
    >
    > -----------------------------------------------------------
    > Jeffrey Albro | Systems Administrator | Boston University
    > - Department of Electrical and Computer Engineering -
    > jalbro@bu.edu | Photonics, Room 305 | 617-358-2785
    > -----------------------------------------------------------
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


  3. Re: Linux client kerberos problem with attempted nfsv4 connection...



    Here is the krb5.conf file:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    ticket_lifetime = 36000
    default_realm = AD.BU.EDU
    dns_lookup_realm = false
    dns_lookup_kdc = false

    [realms]

    AD.BU.EDU = {
    kdc = adc1.bu.edu
    admin_server = ad.bu.edu
    }

    BU.EDU = {
    kdc = kerberos1.bu.edu:750
    kdc = kerberos2.bu.edu:750
    kdc = kerberos3.bu.edu:750
    admin_server = kerberos1.bu.edu
    default_domain = bu.edu
    }

    bu.edu = {
    kdc = kerberos1.bu.edu
    kdc = kerberos2.bu.edu
    kdc = kerberos3.bu.edu
    admin_server = kerberos1.bu.edu
    }

    [domain_realm]
    .bu.edu = bu.edu
    bu.edu = bu.edu
    server.bu.edu = AD.BU.EDU

    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    ignore_afs = true
    minimum_uid = 3000
    }

    ###############################

    When I comment out these lines:

    #dns_lookup_realm = false
    #dns_lookup_kdc = false

    the messages change to:

    May 23 16:21:58 client rpc.gssd[6442]: Using keytab file
    '/etc/krb5.keytab'
    May 23 16:21:58 client rpc.gssd[6442]: WARNING: Client not found in
    Kerberos database while getting initial ticket for principal
    'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
    May 23 16:21:58 client rpc.gssd[6442]: ERROR: No usable machine
    credentials obtained
    May 23 16:21:58 client rpc.gssd[6442]: WARNING: Failed to obtain machine
    credentials for connection to server server.bu.edu

    Sooo.... It seems I have something screwed up with the keytab and realm.

    -Jeff


    On Fri, 20 May 2005, Lord of the Union wrote:

    > Hi,
    >
    > > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
    > > requested realm while getting initial ticket for principal
    > > 'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'

    >
    > The above error could be a key to the problem.Can you please post the
    > krb5.conf? Also verify that the KDC is being resolved correctly to full
    > qualified domain name correctly.
    >
    > = Ram Marti
    >
    >
    > Jeffrey C Albro wrote:
    > > I'm trying to create a krb5 authenticated nfsv4 connection from a Linux
    > > Fedora core 3 client to a NetApp filer server.
    > >
    > > The trick is, the NetApp is running kerbors connected to a Windows AD
    > > KDC...
    > >
    > > I've created a keytab for the client with a principal of:
    > >
    > > Keytab name: FILE:/etc/krb5.keytab
    > > KVNO Principal
    > > ----
    > > --------------------------------------------------------------------------
    > > 4 nfs/client.bu.edu@AD.BU.EDU
    > >
    > >
    > > On the client a mount attempt gives
    > >
    > > client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share
    > > /mnt/unix_share
    > > mount: block device server.bu.edu:/vol/unix_share is write-protected,
    > > mounting read-only
    > > mount: cannot mount block device server.bu.edu:/vol/unix_share read-only
    > >
    > > Mounting without the -o sec=krb5 works fine.
    > >
    > > Heres where I need help... I get the following suspicous messages in
    > > /var/log/messages:
    > >
    > > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
    > > requested realm while getting initial ticket for principal
    > > 'nfs/client.bu.edu@AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
    > >
    > > and
    > >
    > > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain
    > > machine credentials for connection to server server.bu.edu
    > >
    > > The first one is wierd as I have krb5.conf set up, have joined the domain
    > > with samba, and can kinit an AD account just fine.
    > >
    > > I've googled these errors with no luck. I'm also working with nfsv4 and
    > > netapp people on it, but I thought I would give this list a try as well.
    > >
    > > Anyone have any ideas?
    > >
    > > Thanks!
    > >
    > > -Jeff
    > >
    > >
    > > -----------------------------------------------------------
    > > Jeffrey Albro | Systems Administrator | Boston University
    > > - Department of Electrical and Computer Engineering -
    > > jalbro@bu.edu | Photonics, Room 305 | 617-358-2785
    > > -----------------------------------------------------------
    > >
    > >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread