NFS IO on kerberized export failing with permission denied error

Tue Apr 15 07:15:34 EDT 2008

Hi,

Can anybody help in this please?
-          All machines in talk are in time sync

-          All machines are reachable with their FQDN

-          Kinit/kadmin –p to KDC server is working fine. So I guess there
is no problem in these two i.e. KDC client and KDC sever though I could be

            wrong here

-          I am not able to understand what's the problem here, as the
princiapal/keytab for filer is in place.

*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: ERROR: can't open clnt54: No such
file or directory *

* *

*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: WARNING: Failed to obtain machine
credentials for connection to server
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com *

Thanks & regards

 Parinay

 Logs to better explain my problem

*Linux Client*

[root at kc4b1-e0 ~]# uname -a

Linux kc4b1-e0 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

[root at kc4b1-e0 ~]#

* *

*CLIENT KEYTAB*

[root at kc4b1-e0 ~]# klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   3 root/kc4b1-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM

   3 nfs/kc4b1-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM

[root at kc4b1-e0 ~]# kinit

Password for root/admin at NAS.SSQA.RTP.NETAPP.COM:

[root at kc4b1-e0 ~]#

[root at kc4b1-e0 ~]# mount -o sec=krb5
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com:/vol/vol1/ /mnt/

[root at kc4b1-e0 ~]# cd /mnt/

-bash: cd: /mnt/: Permission denied

[root at kc4b1-e0 ~]# tail /var/log/messages

Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: ERROR: can't open clnt54: No such
file or directory

*Apr 15 06:09:15 kc4b1-e0 rpc.gssd[373]: WARNING: Failed to obtain machine
credentials for connection to server
rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com *

[root at kc4b1-e0 ~]#

*NETAPP Filer keytab*

[root at kc1b8-e0 ~]# klist -k /tmp/6080.keytab

 Keytab name: FILE:/tmp/6080.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   3 nfs/rtpqa-fas6080-7.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM

   3 nfs/rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM

[root at kc1b8-e0 ~]#

*NETAPP Filer kerb options*

options nfs.kerb

nfs.kerberos.enable          on

nfs.kerberos.file_keytab.enable off

options kerb

kerberos.file_keytab.enable  off

kerberos.file_keytab.principal rtpqa-fas6080-7-e0b.nas.ssqa.rtp.netapp.com

kerberos.file_keytab.realm   NAS.SSQA.RTP.NETAPP.COM

kerberos.replay_cache.enable off

*NFS SERVER Exports*

 /vol/vol1       -sec=krb5,rw,anon=0

*KDC*

[root at kc1b8-e0 ~]# uname -a

Linux kc1b8-e0 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

[root at kc1b8-e0 ~]#

On Mon, Apr 14, 2008 at 3:56 PM, parinay <parinay at gmail.com> wrote:

> Hi,
>
> I am failing to do NFS io on a volume with sec=krb5. The logs are below,
> to give you an exact idea.
>
> -All clients and KDC are in time sync
>
> -Every machine is reachable with hostname.
>
> -kinit/kadmin works from client
>
> -mount works but cd/ls fails on mounted path
>
> -KDC -2.6.18-8.1.3.el5
>
> -client-SunOS kc1b6 5.10 Generic_118855-33 i86pc i386 i86pc
>
> -NFS exports from - Netapp filer
>
>
> exportfs
> /vol/vol1       -sec=krb5,rw,anon=0
>
> options nfs.kerb
> nfs.kerberos.enable          on
> nfs.kerberos.file_keytab.enable on
> nfs.kerberos.principal       rtpqa-fas6080-7.rtp.netapp.com
> nfs.kerberos.realm           NAS.SSQA.RTP.NETAPP.COM
> options kerb
> kerberos.file_keytab.enable  on
> kerberos.file_keytab.principal rtpqa-fas6080-7.rtp.netapp.com
> kerberos.file_keytab.realm   NAS.SSQA.RTP.NETAPP.COM
> kerberos.replay_cache.enable off
>
> kadmin.local
> Authenticating as principal root/admin at NAS.SSQA.RTP.NETAPP.COM with
> password.
> kadmin.local:  listprincs
> K/M at NAS.SSQA.RTP.NETAPP.COM
> changepw/kc1b8-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> kadmin/admin at NAS.SSQA.RTP.NETAPP.COM
> kadmin/changepw at NAS.SSQA.RTP.NETAPP.COM
> kadmin/history at NAS.SSQA.RTP.NETAPP.COM
> kadmin/kc1b8-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> kiprop/kc1b8-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> krbtgt/NAS.SSQA.RTP.NETAPP.COM at NAS.SSQA.RTP.NETAPP.COM
> nfs/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> nfs/rtpqa-fas3170-9-vif1.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> nfs/rtpqa-fas6080-7.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> parinay/admin at NAS.SSQA.RTP.NETAPP.COM
> parinay/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> root/admin at NAS.SSQA.RTP.NETAPP.COM
> root/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> kadmin.local:
>
> klist -k /tmp/6080.keytab
> Keytab name: FILE:/tmp/6080.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 nfs/rtpqa-fas6080-7.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
> # klist -k /tmp/kc1b6.keytab
> Keytab name: FILE:/tmp/kc1b6.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 root/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
>    3 parinay/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
>    3 nfs/kc1b6-e0.nas.ssqa.rtp.netapp.com at NAS.SSQA.RTP.NETAPP.COM
>
> bash-3.00# cd /mnt/krb
> bash: cd: /mnt/krb: Permission denied
> bash-3.00#mount
>
> /mnt/krb on rtpqa-fas6080-7:/vol/vol1
> remote/read/write/setuid/devices/vers=3/sec=krb5/xattr/dev=4700013 on Mon
> Apr 14 05:34:27 2008
>
>
> --
> easy is right
> begin right and you're easy
> continue easy and you're right
> the right way to go easy is to forget the right way
> and forget that the going is easy....
>

-- 
easy is right
begin right and you're easy
continue easy and you're right
the right way to go easy is to forget the right way
and forget that the going is easy....