search for: gssd

...t expertise. I'm trying to setup a file server (nfs4 at ad.domain) and mount from a client (hunin at ad.domain) using the user database and especially Kerberos provided by my AD (samba at ad.domain). It already works nicely, if I forget about krb5, i.e. idmapd is working straight. Running gssd -vvv yields the following messages in /var/log/syslog: Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si 0xbfad367c data 0xbfad36fc Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si 0xbfad367c data 0xbfad36fc Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify...

...mp/wildcardnfs.keytab: Vno Type Principal Aliases 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR I put this keytab on my client (name is bataille) and restart rpc.gssd -vvvv I try to mount NFS and in my client log, I have : Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' Mar 31 10:52:23 bataille...

...no Type Principal Aliases > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > I put this keytab on my client (name is bataille) and restart rpc.gssd > -vvvv > > I try to mount NFS and in my client log, I have : > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR&...

...ype Principal Aliases > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > I put this keytab on my client (name is bataille) and restart rpc.gssd - > vvvv > > I try to mount NFS and in my client log, I have : > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR...

...shedName: CN=client02,CN=Computers,DC=dom,DC=lab ### mount command on client02.domain.tld: # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home ### syslog on the client: Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:48 cli...

...Aliases >> 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR >> 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR >> 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR >> >> >> I put this keytab on my client (name is bataille) and restart >> rpc.gssd -vvvv >> >> I try to mount NFS and in my client log, I have : >> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for >> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'root/bataille.ujf-grenoble.fr at IF.UJ...

...C=dom,DC=lab > > ### mount command on client02.domain.tld: > # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt > mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home > > > ### syslog on the client: > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec...

Hi Folks I'm trying to share user home directories hosted on a Samba-4 member server via NFSv4. Everything's working well with the Windows shares but when it comes to kerberized NFSv4 it fails. I can't even mount the home root directory via nfs on the server itself ("mount.nfsv4: access denied by server while mounting ..."). As far as I have tracked it down, it appears to

...ver, with appropiate data): net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k done that, effectively the file /etc/krb5.keytab on server and client got created, with something that seems a 'key'. c) i've enabled, as stated by wiki and you, Louis, the IDMAP and GSSD/svcgssd on cliend and server as requested. OK, good start. But doing that i got: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home mount.nfs4: an incorrect mount option was specified After restarting the client, now i got: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/h...

...: klist That should show : Default principal: nfs/hostname.internal.domain.tld at REALM.TLD kdestroy ( getting closely to point of you problem marco, .. ) And this is still mostly the NFS server part. > > > c) i've enabled, as stated by wiki and you, Louis, the IDMAP > and GSSD/svcgssd > on cliend and server as requested. > Good thats needed also. No comments here. Sofar all good. > > OK, good start. But doing that i got: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home > mount.nfs4: an incorrect mount option was specified Ah...

...configuration on /etc/default/nfs-common and /etc/idmapd.conf, but: > > root at vdmpp2:~# systemctl unmask nfs-common > root at vdmpp2:~# systemctl start nfs-common > Failed to start nfs-common.service: Unit > nfs-common.service is masked. > > there's no /usr/sbin/rpc.gssd run, only idmap. Mount fail: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 > vdmpp1.ad.fvg.lnf.it:/home /home > mount.nfs4: an incorrect mount option was specified And if you test with mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home Or mount -t nfs4 -o sec=krb5,vers=4...

...3 nfs/NFSSERVER at AD.EXAMPLE.COM (des-cbc-crc) 3 nfs/NFSSERVER at AD.EXAMPLE.COM (des-cbc-md5) 3 nfs/NFSSERVER at AD.EXAMPLE.COM (arcfour-hmac) (same `klist -ke` output on the client, too) [2] The syslog output from the same problem, but when mounted -o sec=krb5/i/p: nfsclient rpc.gssd[10256]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1b) nfsclient rpc.gssd[10256]: handle_gssd_upcall: 'mech=krb5 uid=56055 enctypes=18,17,16,23,3,1,2 ' nfsclient rpc.gssd[10256]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1b) nfsclient rpc.gssd[10256]: process_krb5_upc...

Folks, As systems are upgraded, we're getting a ton of complaints (fortunately, we're in permissive mode) that would break everything. All of them involve rpc.gssd, and I see a number of bugs listed when I search. Note that I first saw this on a RHEL system, but now I'm seeing it on CentOS 7. I'm bringing it up here, because, given that there are multiple reported, that there's some bigger picture involving policy and rpc.gssd. I'll...

...with "idmap config MYCOMPANY: backend = rid" so we have identical ids across the servers.) I can mount my test directory fine via NFSv4 *without* the sec=krb5 option. However, once I put the sec=krb5 option in, then I get a mount error: "mount.nfs4: Permission denied" and rpc.gssd reports: "Failed to obtain machine credentials for connection to server" The computers have an AD computer account and for the service-principal, I created an AD user account "nfsHostname" and mapped the UPN e.g. NFS/ hostname.mycompany.tv at MYCOMPANY.TV to it using ktpass. T...

...ipt executes. nfs_config=/etc/sysconfig/nfs << does not exist. mkdir -p /run/sysconfig { echo PIPEFS_MOUNTPOINT=/run/rpc_pipefs echo RPCNFSDARGS=\"$RPCNFSDOPTS ${RPCNFSDCOUNT:-8}\" echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\" echo STATDARGS=\"$STATDOPTS\" echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\" } > /run/sysconfig/nfs-utils Im thinking.. Should nfs_config= not be /run/sysconfig/nfs-utils ? Im not really sure here. What you can try/do also systemctl edit --full rpc-gssd.service A copy is made of rpc-gssd.service and placed in /etc/systemd And...

...-config contains : ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh And the nfs-utils_env.sh contains : [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common [ -r /etc/default/nfs-kernel-server ] && . /etc/default/nfs-kernel-server ;-) And /lib/systemd/system/rpc-svcgssd.service Contains: ConditionPathExists=/etc/krb5.keytab Thats all ok. All i did for the server was systemctl enable nfs-server And for the client systemctl enable nfs-client After the setup, all other servers start if needed based on the settings in /etc/default/nfs-common and/or /etc/default/n...

...T.CORNELL.EDU (des-cbc-md5) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (arcfour-hmac) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes128-cts-hmac-sha1-96) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes256-cts-hmac-sha1-96) In /etc/sysconfig/nfs, SECURE_NFS=yes on all clients and servers, and rpc.gssd and rpc.svcgssd are running (although no need for the latter on the clients). The NFSv4 server exports with sec=sys:krb5 (and as I said, NFSv4 works fine without krb5, so I believe the exports file to be correct). But when I try to mount, I get the catch-all error: # mount -t nfs4 -o sec=kr...

...T.CORNELL.EDU (des-cbc-md5) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (arcfour-hmac) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes128-cts-hmac-sha1-96) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes256-cts-hmac-sha1-96) In /etc/sysconfig/nfs, SECURE_NFS=yes on all clients and servers, and rpc.gssd and rpc.svcgssd are running (although no need for the latter on the clients). The NFSv4 server exports with sec=sys:krb5 (and as I said, NFSv4 works fine without krb5, so I believe the exports file to be correct). But when I try to mount, I get the catch-all error: # mount -t nfs4 -o sec=kr...

...try to mount a directory manually I get this: # mount -vvvv -t nfs4 -o sec=krb5 \ triangulum.ifm.liu.se:/export/users/hans /mnt mount: pinging: prog 100003 vers 4 prot tcp port 2049 mount.nfs4: Permission denied I get this in /var/log/messages: Oct 15 15:15:12 pc13287 rpc.gssd[2780]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) Unknown code krb5 60 Oct 15 15:15:12 pc13287 rpc.gssd[2780]: WARNING: Failed to create krb5 context for user with uid 0 with any creden...

Hai Rowland, Yes, that correct. If you use this in override.conf then its. ( so not a copy of the service file to /etc/systemd ) systemctl edit rpc-gssd.service [Service] ExecStart= ExecStart=/Your/Own/Script/script.sh Note the empty line, without that won the override is NOT working. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: dinsdag 6 november 2018 16:32 > A...