Re: nfs4 with sec=krb5, mount times out

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Julius <commercials@gmx.net>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: NFS list <linux-nfs@vger.kernel.org>
Subject: Re: nfs4 with sec=krb5, mount times out
Date: Mon, 26 Jan 2009 20:22:02 +0100	[thread overview]
Message-ID: <1232997722.3694.2.camel@wf> (raw)
In-Reply-To: <4d569c330901261059x70913131j4dc1dec4809bc1f4-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>

On Mon, 2009-01-26 at 13:59 -0500, Kevin Coffman wrote:
> On Mon, Jan 26, 2009 at 1:24 PM, Julius <commercials@gmx.net> wrote:
> > Hi,
> >
> >
> > i can mount my nfsv4 share without kerberos security without
> > problems.../etc/fstab:
> >
> > night_crawler.localdomain.de:/music /home/metalfan/nfs4-mount   nfs4    user
> > 0       0
> >
> >
> > but adding "sec=krb5" to the options list results in:
> >
> >
> > mount -v nfs4-mount/
> > mount.nfs4: timeout set for Mon Jan 26 15:44:05 2009
> > mount.nfs4: text-based options:
> > 'sec=krb5,clientaddr=141.x.x.x,addr=141.x.x.x
> > mount.nfs4: mount(2): Connection timed out
> >
> >
> > I read somewhere on the mailing list that only des-cbc-crc is supported
> > for nfs4, its the only keytype for my user metalfan.
> > "kinit metalfan" was run before attempting to mount.
> > i can use gssapi to connect to night_crawlers sshd with my local user,
> > which also does the nfs4 mount.
> >
> > krb5-kdc.log and krb5-default.log do not show any connections.
> > Where do you start troubleshooting?
> 
> First step would be to verify that rpc.gssd is running on your client
> machine, and rpc.svcgssd is running on your server machine.
> You need to generate a keytab for your server (with only a des-cbc-crc
> key).  (nfs/<f.q.h.n>@<REALM>)
> You likely need to generate a keytab for your client as well.
> 
> If all those are done, send output of rpc.gssd and rpc.svcgssd
> (running with option -vvv).
> 
> I would point you at our FAQ page, but the web server is sadly still
> down at the moment.
> 
> K.C.

the nfs/... entry was missing, so i added:
nfs/night_crawler.localdomain.de-jgXV7fHVA4Rbjp6DLoyPiQ@public.gmane.org
with the des-cbc-crc as only enc type.

but still rpc.svcgssd fails with:
ERROR: GSS-API: error in gss_acquire_cred():  No credentials were
supplied, or the credentials were unavailable or inaccessible. - unknown
mech-code 0 for mech unknown
Unable to obtain credentials for 'nfs'
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/<your.host>@<YOUR.REALM>
in /etc/krb5.keytab?


Julius

next prev parent reply	other threads:[~2009-01-26 19:21 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-26 18:24 nfs4 with sec=krb5, mount times out Julius
2009-01-26 18:59 ` Kevin Coffman
2009-01-26 19:14   ` Trond Myklebust
     [not found]   ` <4d569c330901261059x70913131j4dc1dec4809bc1f4-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-26 19:22     ` Julius [this message]
2009-01-26 19:39       ` Kevin Coffman
     [not found]         ` <4d569c330901261139ha362eddxb72681b57b4de64f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-26 20:56           ` Julius
2009-01-27  4:08           ` Julius
     [not found]             ` <1233029329.6414.15.camel-+CNJgSZYDwajeBhujIvKY7NAH6kLmebB@public.gmane.org>
2009-01-27  4:18               ` Kevin Coffman
     [not found]                 ` <4d569c330901262018s194aadeqf402e7d3ee8837b5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-27 15:14                   ` Julius

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1232997722.3694.2.camel@wf \
    --to=commercials@gmx.net \
    --cc=kwc@citi.umich.edu \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.