George Mamalakis
2010-03-01 15:58:51 UTC
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed to
arch-linux forums and asked this question, but it's been five days since
then, and nobody has answered/asked anything by now; so I figured out
that it might be wise to ask this list too. Here is how it goes:
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
18:10:38 UTC 2009 i686 Intel(R) Xeon(R) CPU E5310 @ 1.60GHz GenuineIntel
GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
whenever I try to mount the exported filesystem I get the following error:
# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
In /var/log/deamon.log I got:
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handle_gssd_upcall:
'mech=krb5 uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: process_krb5_upcall: service
is '<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab FILE:/etc/krb5.keytab
(null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab entry
for 'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained
machine credentials for principal
'nfs/linuxclient.example.com at EXAMPLE.COM' stored in ccache
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name
to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using fsuid
0 (save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for
server solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with server
nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
In order to restart nfs-common I had to pkill rpc.idmapd first, and then
execute /etc/rc.d/nfs-common start, otherwise it refused to start/restart.
More info about my configuration:
- On my linux box:
# ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM
Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
# cat /etc/idmapd.conf:
[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
- On my opensolaris box:
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM
Does anybody know what I should do in order to mount this filesystem
using the aforementioned options?
Thank you all in advance.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed to
arch-linux forums and asked this question, but it's been five days since
then, and nobody has answered/asked anything by now; so I figured out
that it might be wise to ask this list too. Here is how it goes:
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
18:10:38 UTC 2009 i686 Intel(R) Xeon(R) CPU E5310 @ 1.60GHz GenuineIntel
GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
whenever I try to mount the exported filesystem I get the following error:
# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
In /var/log/deamon.log I got:
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handle_gssd_upcall:
'mech=krb5 uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: process_krb5_upcall: service
is '<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab FILE:/etc/krb5.keytab
(null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab entry
for 'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained
machine credentials for principal
'nfs/linuxclient.example.com at EXAMPLE.COM' stored in ccache
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name
to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using fsuid
0 (save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for
server solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with server
nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
In order to restart nfs-common I had to pkill rpc.idmapd first, and then
execute /etc/rc.d/nfs-common start, otherwise it refused to start/restart.
More info about my configuration:
- On my linux box:
# ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM
Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
# cat /etc/idmapd.conf:
[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
- On my opensolaris box:
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM
Does anybody know what I should do in order to mount this filesystem
using the aforementioned options?
Thank you all in advance.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379