search for: svcgssd

...ot;no" c. RPCNFSDARGS="-N 2 -N 3 -U" d. SECURE_NFS = "yes" 10) /etc/init.d/portmap start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs start - (Performed on NFS server) 11) And I receive the following output when the nfs service starts: a. Starting RPC svcgssd: FAILED b. Starting NFS Services: OK c. Starting NFS quotas: OK d. Starting NFS daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory e. NFSD: starting 90-second grace period f. Starting NFS mountd: OK 12) I then checked /var/log/message...

...PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups fail. I'm not convinced your comment about having to run svcgssd on clients is enforced due to CentOS in it scripts, but it shouldn't cause any bother as you say. I can't check right now. Jh Steve Thompson <smt at vgersoft.com> wrote: On Thu, 20 Jun 2013, steve wrote: Thanks for your reply! I am really pulling my hair out over this one, and I...

...PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups fail. I'm not convinced your comment about having to run svcgssd on clients is enforced due to CentOS in it scripts, but it shouldn't cause any bother as you say. I can't check right now. Jh Steve Thompson <smt at vgersoft.com> wrote: On Thu, 20 Jun 2013, steve wrote: Thanks for your reply! I am really pulling my hair out over this one, and I...

...with appropiate data): net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k done that, effectively the file /etc/krb5.keytab on server and client got created, with something that seems a 'key'. c) i've enabled, as stated by wiki and you, Louis, the IDMAP and GSSD/svcgssd on cliend and server as requested. OK, good start. But doing that i got: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home mount.nfs4: an incorrect mount option was specified After restarting the client, now i got: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /hom...

I ran yum update on a CentOS 6.0 machine against the CR repository and noticed that the nfs-utils-lib update broke my rcp.idmap settings: rpc.idmapd: libnfsidmap: processing 'Method' list rpc.idmapd: libnfsidmap: Unable to get init function: /usr/lib64/libnfsidmap/umich_ldap.so: undefined symbol: libnfsidmap_plugin_init rpc.idmapd: libnfsidmap: requested translation method,

...sr/local/bin/foo" # # # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8) #RPCIDMAPDARGS="" # # Set to turn on Secure NFS mounts. #SECURE_NFS="yes" # Optional arguments passed to rpc.gssd. See rpc.gssd(8) #RPCGSSDARGS="" # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) #RPCSVCGSSDARGS="" # # To enable RDMA support on the server by setting this to # the port the server should listen on #RDMA_PORT=20049 And rpcinfo -p: program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmap...

...script executes. nfs_config=/etc/sysconfig/nfs << does not exist. mkdir -p /run/sysconfig { echo PIPEFS_MOUNTPOINT=/run/rpc_pipefs echo RPCNFSDARGS=\"$RPCNFSDOPTS ${RPCNFSDCOUNT:-8}\" echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\" echo STATDARGS=\"$STATDOPTS\" echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\" } > /run/sysconfig/nfs-utils Im thinking.. Should nfs_config= not be /run/sysconfig/nfs-utils ? Im not really sure here. What you can try/do also systemctl edit --full rpc-gssd.service A copy is made of rpc-gssd.service and placed in /etc/systemd And...

...nfs-config contains : ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh And the nfs-utils_env.sh contains : [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common [ -r /etc/default/nfs-kernel-server ] && . /etc/default/nfs-kernel-server ;-) And /lib/systemd/system/rpc-svcgssd.service Contains: ConditionPathExists=/etc/krb5.keytab Thats all ok. All i did for the server was systemctl enable nfs-server And for the client systemctl enable nfs-client After the setup, all other servers start if needed based on the settings in /etc/default/nfs-common and/or /etc/default/n...

...to_local) rule for the principal names to local user names. All is quite simple, if you know the fact. Only with that you get kerberized services running. On Debian 9 file server (member server of the domain) I was not able to get NFS4 with Kerberos working until I changed from the default rpc.svcgssd to gssproxy for the NFS service. The first was working for subdomain user, but in case of parent domain user the rpc.svcgssd process got to 100% CPU load and a soft lockup of the kernel. With gsproxy and no other changes all is fine. These few things took me a lot of time. Andreas Am 19.01.2...

...lv.conf: Invalid argument Feb 5 08:41:48 pi4b avahi-daemon[340]: socket() failed: Address family not supported by protocol Need something, i dont know but reduce the resolv.conf to search some.dom.tld nameserver ip_ad_dc1 nameserver ip_ad_dc2 nameserver ip_internet_DNS Feb 5 08:41:48 pi4b rpc.svcgssd[320]: unable to obtain root (machine) credentials Feb 5 08:41:48 pi4b rpc.svcgssd[320]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab? Your missing the nfs SPNs in the keytab file but, i dont know if you use it. So above point are or might not probl...

...the members? > > > > What is the output of : > > dig -x $(hostname -i) > > Still i'm using the old domain DNS for (back)resolving, so reverse > point to old address (vdmpp2.pp.lnf.it). > Clearly, i've addedd in /etc/hosts relevant record, and added to > svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've > understood, fix that. Fixed? Yes and no, this is (still) one of you problems. All servers, in this case the DCs and vdmpp1 vdmpp2 need to know the correct hostnames and ip. And the members must have the resolving correctly...

...alling and reinstalling all the stuff? I'll think a bit about this for you so you can fix it without removeing it all. I'll re-read the thread again tomorrow and let you know. > > > I've stopped and run by hand /usr/sbin/rpc.gssd with '-vvv' > and /usr/sbin/rpc.svcgssd > with '-vvv -p nfs/vdmpp1.ad.fvg.lnf.it' (/etc/default/nfs-* parameters > variables seems are ignored) and still /usr/sbin/rpc.svcgssd write no > log, and thsi seeems strage o me... Wel, the sys option is not kerberize so seems logical to me you dont see thing in the log now....

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I've got a problem with kerberoized NFS server , i can't start rpc.svcgssd daemon on my server. shaver ~ # rpc.svcgssd -fvvv ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name Unable to obtain credentials for 'nfs' unable to obtain root (machine) credentials...

...(des-cbc-md5) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (arcfour-hmac) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes128-cts-hmac-sha1-96) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes256-cts-hmac-sha1-96) In /etc/sysconfig/nfs, SECURE_NFS=yes on all clients and servers, and rpc.gssd and rpc.svcgssd are running (although no need for the latter on the clients). The NFSv4 server exports with sec=sys:krb5 (and as I said, NFSv4 works fine without krb5, so I believe the exports file to be correct). But when I try to mount, I get the catch-all error: # mount -t nfs4 -o sec=krb5 costello.test...

...(des-cbc-md5) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (arcfour-hmac) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes128-cts-hmac-sha1-96) 2 nfs/abbott at TITAN.TEST.CORNELL.EDU (aes256-cts-hmac-sha1-96) In /etc/sysconfig/nfs, SECURE_NFS=yes on all clients and servers, and rpc.gssd and rpc.svcgssd are running (although no need for the latter on the clients). The NFSv4 server exports with sec=sys:krb5 (and as I said, NFSv4 works fine without krb5, so I believe the exports file to be correct). But when I try to mount, I get the catch-all error: # mount -t nfs4 -o sec=krb5 costello.test...

...s restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Shutting down RPC svcgssd: [ OK ] Starting RPC svcgssd: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon:...

...pc.idmapd][checksum][c2e1487fa3a2b3c6920113794aa736cda1afbc23][f64318ecfebef5d775817c31f7125cd24e6c18fe] [206][server][cmp][/usr/sbin/rpc.idmapd][inode][26225][21340] [213][server][cmp][/usr/sbin/rpc.idmapd][ctime][Thu Jun 29 21:43:56 2006][Sat Aug 12 04:02:23 2006] [204][server][cmp][/usr/sbin/rpc.svcgssd][checksum][057aba4745e26e079cdcf3e25ff758a8fe8b99ac][6b5dbe025fee9c33e36143d7b77cd53a60395028] [206][server][cmp][/usr/sbin/rpc.svcgssd][inode][26814][25042] [213][server][cmp][/usr/sbin/rpc.svcgssd][ctime][Thu Jun 29 21:43:50 2006][Sat Aug 12 04:02:21 2006] [204][server][cmp][/usr/sbin/saslauthd][...

...[mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: woensdag 10 oktober 2018 12:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NFSv4, homes, Kerberos... > > Hi, > > just a hint. In our case it was impossible to use the rpc.svcgssd > service for kerberized nfs4, due to a bug (our server OS: > Debian 9). We > got some kind of kernel panic on the server, when a client mounted an > kerberized nfs4 export. So we are using the "gssproxy" > package right now. > > see https://bugs.launchpad.net/u...

...ocal/bin/foo" # # # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8) #RPCIDMAPDARGS="" # # Set to turn on Secure NFS mounts. #SECURE_NFS="yes" # Optional arguments passed to rpc.gssd. See rpc.gssd(8) #RPCGSSDARGS="-vvv" # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) #RPCSVCGSSDARGS="-vvv" # Don't load security modules in to the kernel #SECURE_NFS_MODS="noload" # # Don't load sunrpc module. #RPCMTAB="noload" # [root at inf1 /]# cat /etc/idmapd.conf [General] Verbosity = 9 Pipefs-Directory = /var/lib/n...

...er the server is getting a TGT nor the > client a TGS ... > > Am I doing anything wrong? Is that beahaviour intentional? Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC can be quite tricky. To track down the problem, you should run rpc.gssd (on client) and rpc.svcgssd (on server) with "-v -v -v". This might give you some more hints where to look. You can read about the servicePrincipalNames your NFS client uses in the man page of rpc.gssd: <HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hos...