On Fri, 9 Jan 2015 17:01:24 +0000 "Cicone, Anthony" anthony_cicone@troweprice.com wrote:
Hello List,
I've been working on setting up a RHEL 7.1 NFS Server to share out Kerberos mounts, using gssproxy. I have a RHEL 6.4 client that I'm trying to mount the Kerberos share on.
Here is the gssproxy.conf config on the the NFS server:
(rhel7nfsclient)# more /etc/gssproxy/gssproxy.conf [gssproxy]
[service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/tmp/krb5cc_%U trusted = yes kernel_nfsd = yes euid = 0 debug = true
I'm able to mount the share as the root user fine.
(labisilon1)# id uid=0(root) gid=0(root) groups=0(root) (labisilon1)# mount -o sec=krb5,vers=3 rhel7nfsclient:/nfsv3kb5 /rhel7nfsclient -vvv mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: no type was given - I'll assume nfs because of the colon mount: spec: "rhel7nfsclient:/nfsv3kb5" mount: node: "/rhel7nfsclient" mount: types: "nfs" mount: opts: "sec=krb5,vers=3" final mount options: 'sec=krb5,vers=3' mount: external mount: argv[0] = "/sbin/mount.nfs" mount: external mount: argv[1] = "rhel7nfsclient:/nfsv3kb5" mount: external mount: argv[2] = "/rhel7nfsclient" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5,vers=3" mount.nfs: timeout set for Fri Jan 9 11:55:13 2015 mount.nfs: trying text-based options 'sec=krb5,vers=3,addr=10.68.36.149' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 10.68.36.149 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 10.68.36.149 prog 100005 vers 3 prot UDP port 20048 rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs (rw,sec=krb5,vers=3)
(labisilon1)# mount|grep nfs rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs (rw,sec=krb5,vers=3,addr=10.68.36.149)
(labisilon1)# cd /rhel7nfsclient (labisilon1)# touch testfile (labisilon1)# ls Testfile
But, when I try to access the share, as a non-root user, I get the "Permissioned denied" error.
$ whoami svc9u998 $ mount|grep rhel7 rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs (rw,sec=krb5,vers=3,addr=10.68.36.149) $ cd /rhel7nfsclient -ksh: cd: /rhel7nfsclient: [Permission denied]
Here's error from the client gssd.
0770: 1491 335a e0fa 38e0 7d70 a7f4 f986 e173 ..3Z..8.}p.....s 0780: 23f4 5f68 af28 81d6 7494 88cb 6ae6 #._h.(..t...j. rpcsec_gss: in authgss_marshal() rpcsec_gss: xdr_rpc_gss_buf: encode success ((nil):0) rpcsec_gss: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0) rpcsec_gss: in authgss_wrap() rpcsec_gss: xdr_rpc_gss_buf: encode success (0x7fdd087945a0:1934) rpcsec_gss: xdr_rpc_gss_init_args: encode success (token 0x7fdd087945a0:1934) authgss_create_default: freeing name 0x7fdd08791290 WARNING: Failed to create krb5 context for user with uid 55555555 for server rhel7nfsclient.troweprice.com WARNING: Failed to create krb5 context for user with uid 55555555 for server rhel7nfsclient.troweprice.com doing error downcall
Seem like a client issue ?
I have debugging turned on for gssproxy, but it doesn't give me much?
Jan 9 11:56:19 rhel7nfsclient rpc.gssd[3150]: Closing 'gssd' pipe for /var/lib/nfs/rpc_pipefs/nfs/clnt1ff Jan 9 11:56:19 rhel7nfsclient rpc.gssd[3150]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1ff Jan 9 11:56:19 rhel7nfsclient gssproxy: gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock
Just in case, what does 'getent passwd 55555555' give you on the server?
What are the permissions on the directory you try to access ?
Simo.
We're also using a a product called Centrify for our Kerberos authentication.
# adinfo -C Computer Account Diagnostics Joined as: labisilon1 Trusted for Delegation: false Use DES Key Only: false Key Version: 2 Service Principal Names: nfs/labisilon1.our.domain nfs/labisilon1 http/labisilon1.our.domain http/labisilon1 host/labisilon1.our.domain host/labisilon1 ftp/labisilon1.our.domain ftp/labisilon1 cifs/labisilon1.our.domain cifs/labisilon1
Supported Encryption Type(s): N/A
Operating System Version: 6.4 (Santiago)
I have current Kerberos tickets.
$ /usr/share/centrifydc/kerberos/bin/klist -e Ticket cache: FILE:/tmp/krb5cc_55555555 Default principal: svc9u998@CORP.OURDOMAIN.NET
Valid starting Expires Service principal 01/09/15 09:09:02 01/09/15 19:09:09 krbtgt/CORP.OURDOMAIN.NET@CORP.OURDOMAIN.NET renew until 01/10/15 09:09:02, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 01/09/15 09:09:17 01/09/15 19:09:09 nfs/rhel7nfsclient.our.domain.com@CORP.OURDOMAIN.NET renew until 01/10/15 09:09:02, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Thanks for your help.
T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and its associates do not provide legal or tax advice. Any tax-related discussion contained in this e-mail, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding any tax penalties or (ii) promoting, marketing, or recommending to any other party any transaction or matter addressed herein. Please consult your independent legal counsel and/or professional tax advisor regarding any legal or tax issues raised in this e-mail.
The contents of this e-mail and any attachments are intended solely for the use of the named addressee(s) and may contain confidential and/or privileged information. Any unauthorized use, copying, disclosure, or distribution of the contents of this e-mail is strictly prohibited by the sender and may be unlawful. If you are not the intended recipient, please notify the sender immediately and delete this e-mail.
gss-proxy mailing list gss-proxy@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/gss-proxy