Linux NFSv4 Server and Client using Windows 2K3 AD/KDC

["Jason D. McCormick" <jason@devrandom.org>]

Hello All,

  I'm trying to setup a Linux NFSv4 server and client using Windows 2K3
AD as the KDC (Domain/Realm is AD.EXAMPLE.ORG).  I've successfully set
this up using MIT Kerberos before so the problems appear to be with the
Windows KDC portion of the setup.  I'm not sure this is supported with
Linux clients and servers -- most of the reading I see using Windows
KDCs is using NetApp filers.

  When attempting to mount the NFS export with '-o sec=krb5', I get a
timeout and an eventual failure to mount.  Running the client's rpc.gssd
in the foreground with verbose logging yields:

WARNING: Failed to create krb5 context for user with uid 0 for server
nfs-server.example.com
WARNING: Failed to create krb5 context for user with uid 0 with
credentials cache FILE:/tmp/krb5cc_machine_AD.EXAMPLE.COM for server
nfs-server.example.com
WARNING: Failed to create krb5 context for user with uid 0 with any
credentials cache for server nfs-server.example.com

Running the server's rpc.svcgssd in the foreground with verbose logging
yields:

handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
Miscellaneous failure - Key table entry not found
WARNING: failed to write message

I see it claims there's no key table entry found, but from looking at
the message output in '-vvvv' it appears to be asking for
nfs/nfs-server.example.com@AD.EXAMPLE.COM like I would expect.  I have
the domain_realm mappings configured correctly ({,.}example.com =
AD.EXAMPLE.COM), the nfs/host principals stashed correctly in
/etc/krb5.keytab, they are using des-cbc-crc and I can use them
perfectly with a 'kinit -k nfs/host@REALM' command.  On the server, for
example:

# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------
   3 host/nfs-server.example.com@AD.EXAMPLE.COM (DES cbc mode with
     CRC-32)
   3 nfs/nfs-server.example.com@AD.EXAMPLE.COM (DES cbc mode with
     CRC-32)

I've read a lot of the usual places like Mike Eisler's blog and mailing
list and I've not found anything like what I'm experiencing (or else I'm
not searching on the right terms).

Anyone able to help?  I've tried a couple of different versions of
nfs-utils to see if there's an incompatibility and I've run into the
same problem with all of them.

Thanks.

-- Jason

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs