Marco Gaiarin
2018-Oct-23 16:57 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Sorry, i come back to this topic in a different thread, because i'm
still totally puzzled with the previuous one. Louis, sorry me. ;(
I've tried to start with this, that seems very simple:
https://wiki.debian.org/NFS/Kerberos
And so i've done:
a) installed 'nfs-kernel-server' on server, 'nfs-common' on
client.
Ok, this is easy.
b) AFAI've understood i need to create a 'principal', type
'NFS', for
server and client, and store the key in ''local keytab''.
Debian wiki
suggest:
addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT
ktadd NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT
but in 'samba' lingo the same operation can be obtained with (run in
the client and server, with appropiate data):
net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k
done that, effectively the file /etc/krb5.keytab on server and client
got created, with something that seems a 'key'.
c) i've enabled, as stated by wiki and you, Louis, the IDMAP and
GSSD/svcgssd
on cliend and server as requested.
OK, good start. But doing that i got:
root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
mount.nfs4: an incorrect mount option was specified
After restarting the client, now i got:
root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
mount.nfs4: access denied by server while mounting vdmpp1:/home
and in log:
Oct 23 18:50:47 vdmpp2 kernel: [ 49.414391] FS-Cache: Loaded
Oct 23 18:50:47 vdmpp2 kernel: [ 49.453067] FS-Cache: Netfs 'nfs'
registered for caching
Oct 23 18:50:47 vdmpp2 kernel: [ 49.457587] Key type dns_resolver registered
Oct 23 18:50:47 vdmpp2 kernel: [ 49.472990] NFS: Registering the id_resolver
key type
Oct 23 18:50:47 vdmpp2 kernel: [ 49.472994] Key type id_resolver registered
Oct 23 18:50:47 vdmpp2 kernel: [ 49.472995] Key type id_legacy registered
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.pp.lnf.it
Seems i've to fix a bit my backresolving, so i've put and entr in
/etc/hosts, to test, and:
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab
/etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for
connection to server vdmpp1.ad.fvg.lnf.it
Why?! Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2018-Oct-24 09:50 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
> I've tried to start with this, that seems very simple: > https://wiki.debian.org/NFS/KerberosThis is totally OT, but... i'm not able to restart nfs-common, because: root at vdmpp2:~# systemctl status nfs-common ● nfs-common.service Loaded: masked (/dev/null; bad) Active: inactive (dead) but: root at vdmpp2:~# systemctl unmask nfs-common root at vdmpp2:~# systemctl enable nfs-common Synchronizing state of nfs-common.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable nfs-common Failed to enable unit: Unit file /lib/systemd/system/nfs-common.service is masked. Why?!> but in 'samba' lingo the same operation can be obtained with (run in > the client and server, with appropiate data): > net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k > done that, effectively the file /etc/krb5.keytab on server and client > got created, with something that seems a 'key'.Seems that lowecase apply, eg: net -U gaio ads keytab add nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k> c) i've enabled, as stated by wiki and you, Louis, the IDMAP and GSSD/svcgssd > on cliend and server as requested.At least server side the 'backresolving' troubles can be solved expliciting the principal. Eg, doing that the server does not start with error: Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@ Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: unable to obtain root (machine) credentials Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1 Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab? Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Unit entered failed state. Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'. but if i add to /etc/default/nfs-kernel-server: RPCSVCGSSDOPTS="-vvv -p nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT" now the server start. Still the client does not connect, even the server itself, eg, doing both: root at vdmpp1:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /mnt or root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home lead to: mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home and in log: Oct 24 11:47:14 vdmpp1 rpc.gssd[4117]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it Oct 24 11:47:23 vdmpp2 rpc.gssd[684]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it Still searching a clue... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)