Is it possible that Samba4 includes a large PAC on the kerberos credential and
you're going over the limit in kernel? Against AD you have to disable this
PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work
correctly. You /sometimes/ find that testing with a user who is a member of as
close to no groups as possible works in this case, but users in many groups
fail.
I'm not convinced your comment about having to run svcgssd on clients is
enforced due to CentOS in it scripts, but it shouldn't cause any bother as
you say. I can't check right now.
Jh
Steve Thompson <smt at vgersoft.com> wrote:
On Thu, 20 Jun 2013, steve wrote:
Thanks for your reply! I am really pulling my hair out over this one, and
I don't have that much left :(
> What do you have in /etc/idmapd.conf
The content of this file is correct as far as I understand it, as it works
with NFSv3 and NFSv4 with sec=sys:
[General]
Verbosity = 0
Domain = icse.cornell.edu
Local-Realms = TITAN.TEST.CORNELL.EDU
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
(and I have nsswitch.conf correctly configured).
Note: in my case, the value of Domain in idmapd.conf is NOT the same as
the DNS domain name. But as I understand it, as long as it is the same on
all servers and clients, this should not matter, as it is just a label. I
tried setting it to the DNS domain name, but it didn't make any
difference. And changing it on just the server and not the clients leaves
all ownerships as being nobody:nobody instead of the proper ownerships,
which is (a) expected, and (b) leads me to believe that rpc.idmapd is
working as it should. Starting rpc.idmapd with -vvv dumps the mappings to
/var/log/messages, and they are correct. In any case, clients don't all
have the same DNS domain name.
> What does ps aux | grep rpc give?
rpc 1616 0.0 0.0 18972 992 ? Ss Jun18 0:00 rpcbind
rpcuser 1649 0.0 0.0 25420 1380 ? Ss Jun18 0:00 rpc.statd
root 1678 0.0 0.0 0 0 ? S Jun18 0:00 [rpciod/0]
root 1679 0.0 0.0 0 0 ? S Jun18 0:01 [rpciod/1]
root 5789 0.0 0.0 50112 2072 ? Ss 12:06 0:00 rpc.svcgssd
-vvv
root 5795 0.0 0.0 107304 276 ? Ss 12:06 0:00 rpc.rquotad
root 5799 0.0 0.0 22832 2560 ? Ss 12:06 0:00 rpc.mountd
--no-nfs-version 2
root 5850 0.0 0.0 36900 1048 ? Ss 12:06 0:00 rpc.idmapd -vvv
root 8807 0.0 0.0 37340 2556 ? Ss 16:37 0:00 rpc.gssd -vvv
All the expected daemons are present, including rpc.gssd and rpc.svcgssd.
I have rpc.svcgssd running on the clients too, although it should not be
necessary there (but the CentOS init scripts don't give the option to not
start it).
> Can the user browse using nfs3?
> mount -t nfs3 -o sec=krb5 <server_fqdn>:/data /mnt
No; exactly the same result as NFSv4. But yes with sec=sys.
> Have a look at the gotchas. There's loadsa wrong info abut kerberos and
> nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration
That's one of the many articles that I've read (several times). I
don't
see anything wrong in what I have done (btw, I don't agree that the fsid=0
export should be mode 1777, and I don't agree that your first exports
example is the proper way to do it. But in any event I have tried those
too, to no effect).
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos