On Friday, November 6, 2015 3:24 AM, Alexander Bokovoy <[email protected]> wrote: > On Thu, 05 Nov 2015, [email protected] wrote: >>On Thursday, November 5, 2015 1:54 PM, Rob Crittenden >> <[email protected]> wrote: >>> [email protected] wrote: >>>> Hello everyone, [...] > > Your workflow should be something like this (using IPA CLI as an example > here): > 1. Create a service with 'ipa service-add' > 2. Associate a key with a service with 'ipa-getkeytab' and store it in a > keytab -- either directly on the server where service is running or on > any other IPA client. > 3. Deliver the keytab from step (2) to a server where it should be if > needed. In case of clustered configuration deliver the keytab to all > cluster nodes which will be operating as the service. > > Do not run 'ipa-getkeytab' multiple times as each run invalidates > previously obtained keytab. > > 4. Use the keytab to kinit and obtain initial ticket granting ticket > (TGT) for the service principal periodically. This either has to be > supported by an application itself or run with a wrapper that kinits > periodically. On RHEL 7, CentOS 7, and Fedora use GSS-PROXY to > perform automatic renewal, this is much cleaner way of doing it. > > If your NAS appliance has issues like below it only says that NFS server > side did not accept your configuration. Thus, you need to look into the > NAS appliance logs to say what is wrong there.
To eliminate NAS appliance I am following section 16.3.1 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerb-nfs.html#krb-nfs-server literally on a fresh CentOS 7 lab network consisting of one IPA server, one IPA client and a stand alone NFS server. For IPA server I created nfs service using ipa service-add nfs/fds.example.org followed by ipa-getkeytab -s fds.example.org -p nfs/fds.example.org -k /tmp/nfsserverfds.keytab then used ktutil to merge into host keytab. klist -k confirms that host and nfs principals are present. created /etc/exports like /home *(rw,insecure,sec=krb5) and enabled nfs-server service (I also disabled NFSv3) krb5 mount between IPA client and IPA server works without any problems. # mount -vvv -o sec=krb5 fds:/home /mnt mount.nfs: timeout set for Sun Nov 8 10:59:53 2015 mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.3,clientaddr=192.168.1.131' However, when I repeat exactly the same service-add and getkeytab steps for a stand alone NFS server, mount is denied. kinit -k nfs/nfsserver.example.org works (I added default realm in /etc/krb5.conf) Starting gssproxy in debug mode like /usr/sbin/gssproxy -di shows following during mount attempt: Debug Enabled Client connected (fd = 11) (pid = 2157) (uid = 0) (gid = 0) (context = system_u:system_r:kernel_t:s0) gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock /usr/sbin/rpc.gssd -vvv -f shows only beginning poll Does anyone know how to enable more verbosity from NFS components to find out what is missing in stand alone server configuration? Regards, Josh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
