cannot mount nfs share -o sec=krb5p

Chris Gorman chrisjohgorman at gmail.com
Thu May 25 13:35:12 EDT 2023 

Hello Again,

Please disregard this request for help as being persistent has allowed
me to fix my problem.  I needed to rebuild the following packages to
get nfs mounting working.

nfs-utils
krb5
gssproxy
cyrus-sasl

Once these were built to recognise each other, my problem disappeared.

Thanks for your time.

Chris

On Tue, May 23, 2023 at 8:30 PM Chris Gorman <chrisjohgorman at gmail.com> wrote:
>
> Hello list,
>
> I am trying to build a linux from scratch system with nfs4 and
> kerberos.  Somewhere along the lines I have deviated from what distros
> like arch linux have done as I can't mount an nfs share with anything
> but -o sec=sys.  I have tried to follow arch's build scripts for
> nfs-utils-2.6.3 and gssproxy-0.9.1.  Both are installed and working as
> far as I can tell.  I may yet need to rebuild a package due to
> circular dependencies.  I don't know if this is my problem, or if it
> lies elsewhere.
>
> I have successfully set up a krb5 server on one of my arch systems,
> but want to have the service running on LFS.
>
> So I have two machines at the moment, server and client at domain
> example.com with realm EXAMPLE.COM.  The client is an arch linux
> system and was the previous server.  I could get nfs shares mounted
> when I had the arch system as the server.  I can no longer mount
> shares as when using the LFS machine as the server.
>
> I have tried turning on nfs debugging with rpcdebug and the attached
> files are the relevant output from journalctl. The client's log is
> attached as client.log and the server's log is server.log.  The logs
> are logs of a mount call from the client to the server.
>
> sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs
>
> This call produces the following output.
>
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting server.example.com:/home
> mount.nfs4: timeout set for Tue May 23 19:03:05 2023
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'
>
> My kerberos information follows
>
> Client's krb5.conf
> -----------------------
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         encrypt = true
>
> [realms]
>         EXAMPLE.COM = {
>                 admin_server = server.example.com
>                 kdc = server.example.com
>
>                 pkinit_anchors = FILE:/etc/krb5/cacert.pem
>                 pkinit_identity =
> FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
>         }
>
> [domain_realm]
>         example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
>
> [logging]
>         kdc = SYSLOG:NOTICE
>         admin_server = SYSLOG:NOTICE
>         default = SYSLOG:NOTICE
>
> Server's krb5.conf
> ------------------------
> [libdefaults]
>             default_realm = EXAMPLE.COM
>             encrypt = true
>
> [realms]
>         EXAMPLE.COM = {
>                 admin_server = server.example.com
>                 kdc = server.example.com
>
>                 kdc_tcp_ports   = 88
>                 allow_pkinit    = yes
>                 pkinit_identity =
> FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
>                 pkinit_anchors  = FILE:/var/lib/krb5kdc/cacert.pem
>         }
>
> [domain_realm]
>         example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
>
> [logging]
>         kdc = SYSLOG:NOTICE
>         admin_server = SYSLOG:NOTICE
>         default = SYSLOG:NOTICE
>
> Server's kdc.conf
> -----------------------
> [kdcdefaults]
>         kdc_listen = 88
>         kdc_tcp_listen = 88
>         spake_preauth_kdc_challenge = edwards25519
>
> [realms]
>         EXAMPLE.COM = {
>                 database_name = /var/lib/krb5kdc/principal
>                 acl_file = /var/lib/krb5kdc/kadm5.acl
>                 key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
>                 kdc_listen = 88
>                 kdc_tcp_listen = 88
>                 max_life = 10h 0m 0s
>                 max_renewable_life = 7d 0h 0m 0s
>         }
>
> Client's keytab
> -------------------
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 host/server.example.com at EXAMPLE.COM
>    3 host/server.example.com at EXAMPLE.COM
>    3 nfs/server.example.com at EXAMPLE.COM
>    3 nfs/server.example.com at EXAMPLE.COM
>    3 nfs/client.example.com at EXAMPLE.COM
>    3 nfs/client.example.com at EXAMPLE.COM
>
> /etc/resolv.conf
> --------------
> domain example.com
> nameserver 192.168.0.1
> nameserver 8.8.8.8
>
> /etc/hosts
> -------------
> 127.0.0.1 localhost.localdomain localhost
> ::1       localhost ip6-localhost ip6-loopback
> ff02::1   ip6-allnodes
> ff02::2   ip6-allrouters
>
> If someone has a moment, could you look at the logs and tell me if
> anything jumps out at you as my problem?
>
> Thanks in advance,
>
> Chris

More information about the Kerberos mailing list