[Samba] Samba4 PDC keytab creation for NFSv4 not working

Henrik Dige Semark hds at semark.dk
Wed Nov 5 09:13:31 MST 2014


Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Mobil: +45 26331701

On 2014-11-04 22:33, steve wrote:
> On 04/11/14 15:21, Rowland Penny wrote:
>> On 04/11/14 13:49, Henrik Dige Semark wrote:
>>>>
>>> Hey,
>>> Sorry I missed that in the blog.
>>> I read through it, and thought my setup, and what I had done/tried
>>> before, was more or less the same - but I missed that he created a
>>> nfs-user and added the keytab on the user instead.
>>>
>>> It's true, I can now add the NFS principal to the keytab but my
>>> clients still can't connect.
>>> I have also doublet and triple checked, that I do the same on the
>>> clients as he describe in the blog-post.
>>>
>>>
>>> My client (hymer$) is part of the domain - I can SSH without password
>>> to jotunheim, I have DNS and reverce DNS for the machine, both
>>> jotunheim and hymer can ping each other.
>
> So it's your nfs4 exports then. Remember that butter is bad for you 
> again this year and so you must not export nfs4 mounts from a bind 
> mounted fsid=0 pseudo-root. No sir. This year, we're exporting them as 
> margarine, just like in the good old nfs3 days. If you're not sure 
> what brand of margarine you should be using, post your /etc/exports 
> and idmapd configs at both ends and we'll advise and rpc.idmapd -fvvv 
> at both ends should help us nail it.
> José
>
Hey,

Okay, so jotunheim is:

# cat /etc/exports
#/export        gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
#/export/home   gss/krb5(rw,sync,no_subtree_check)
/home           gss/krb5(rw,sync,no_subtree_checl)

# cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
Domain = YGGDRASIL.BITTOO.NET

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

# rpc.gssd -fvvv
beginning poll

# rpc.idmapd -fvvv
rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
rpc.idmapd: libnfsidmap: loaded plugin 
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch

rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 0
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt0/idmap
rpc.idmapd: New client: 1
rpc.idmapd: Stale client: 0
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt0/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 1
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt1/idmap
rpc.idmapd: New client: 2
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt2/idmap
rpc.idmapd: New client: 3
rpc.idmapd: Stale client: 2
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt2/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 3
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt3/idmap
rpc.idmapd: New client: 4
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt4/idmap
rpc.idmapd: New client: 5
rpc.idmapd: Stale client: 4
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt4/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 5
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt5/idmap
rpc.idmapd: New client: 6
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt6/idmap
rpc.idmapd: New client: 7
rpc.idmapd: Stale client: 6
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt6/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 7
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt7/idmap
rpc.idmapd: New client: 8
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt8/idmap
rpc.idmapd: New client: 9
rpc.idmapd: Stale client: 8
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt8/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 9
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt9/idmap
rpc.idmapd: New client: a
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnta/idmap
rpc.idmapd: New client: b
rpc.idmapd: Stale client: a
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnta/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: b
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntb/idmap
rpc.idmapd: New client: c
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clntc/idmap
rpc.idmapd: New client: d
rpc.idmapd: Stale client: c
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntc/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: d
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntd/idmap




and the client (hymer)
At the client AutoFS mounts the nfs4 - but I have tried to do it 
manually instead.

# mount -vvvv -t nfs4 -o sec=krb5 
jotunheim.static.yggdrasil.bittoo.net:/home /home
mount.nfs4: timeout set for Wed Nov  5 17:10:12 2014
mount.nfs4: trying text-based options 
'sec=krb5,addr=2001:470:dd5b:74::1,clientaddr=2001:470:dd5b:74:1::d2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 
'sec=krb5,addr=192.168.116.1,clientaddr=192.168.117.106'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 
jotunheim.static.yggdrasil.bittoo.net:/home

# cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = YGGDRASIL.BITTOO.NET
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

# rpc.gssd -fvvvv
beginning poll
destroying client /run/rpc_pipefs/nfs/clnt2e
destroying client /run/rpc_pipefs/nfs/clnt35

# rpc.idmapd -fvvvvv
rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
rpc.idmapd: libnfsidmap: loaded plugin 
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch

rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 30
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt30/idmap
rpc.idmapd: New client: 31
rpc.idmapd: New client: 32
rpc.idmapd: New client: 37
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt37/idmap
rpc.idmapd: New client: 38
rpc.idmapd: Stale client: 37
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt37/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 38
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt38/idmap
rpc.idmapd: New client: 39
rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt39/idmap
rpc.idmapd: New client: 3a
rpc.idmapd: Stale client: 39
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt39/idmap
[warn] event_del: event has no event_base set.
rpc.idmapd: Stale client: 3a
rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt3a/idmap


More information about the samba mailing list