Idmapd gssapi error

idmapd gssapi error

check sprers.eu is running on NFS client and NFS Server kadmin: GSS-API (or Kerberos) error while initializing kadmin interface .. Solution. Idmapd Configuration (common to both NFSv4 - client and server) GSSAPI Mechanism Definitions # # This configuration file determines which GSS-API. Oct 30 server sprers.eu[]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide. idmapd gssapi error

Speaking: Idmapd gssapi error

Idmapd gssapi error
Error sql statement ignored pl sql
Idmapd gssapi error
Idmapd gssapi error

Idmapd gssapi error - remarkable

grep nfs_ex nfs_export_all_ro --> on nfs_export_all_rw --> on

This allows the NFS daemon to read and write almost any file. Disable the booleans to lock down the capabilities.

Kerberos Keytab File

There are a couple of ways of creating the keytab file .

If we know the IPA admin credentials, we can obtain a Kerberos ticket, and use ipa-getkeytab command.

# yum install -y ipa-client

Obtain a Kerberos ticket and verify:

# kinit admin # klist

Get a keytab for our Kerberos NFS principal:

# ipa-getkeytab -s sprers.eu -p nfs/sprers.eu -k /etc/sprers.eu Keytab successfully retrieved and stored in: /etc/sprers.eu

Verify with:

# klist -k 2 nfs/[email&#;protected] 2 nfs/[email&#;protected] 2 nfs/[email&#;protected] 2 nfs/[email&#;protected] 2 nfs/[email&#;protected] 2 nfs/[email&#;protected]

Now if we don&#;t have Kerberos admin credentials, we can alternatively download the keytab file for the server via FTP (assuming it was made available on the Kerberos server):

# wget -O /etc/sprers.eu ftp://sprers.eu # chmod /etc/sprers.eu # restorecon -v /etc/sprers.eu

Verify:

klist -k 3 nfs/[email&#;protected] 3 nfs/[email&#;protected] 3 nfs/[email&#;protected] 3 nfs/[email&#;protected] 3 nfs/[email&#;protected] 3 nfs/[email&#;protected]

Once the keytab is created, start the nfs-secure-server service:

# systemctl start nfs-secure-server

Check the NFS server status for any errors.

For verbose logging, open the file , assign the -vvv string to the RPCGSSDARGS variable and restart the nfs-secure-server service.

Reboot the NFS server before proceeding to the client configuration. After restart, ensure that both services are running:

# systemctl status nfs-server nfs-secure-server

NFS Client Setup

All commands in this section are run on the server srv2.

Packages and Services

# yum install -y nfs-utils

On RHEL , enable the nfs-secure service:

# systemctl enable nfs-secure

On RHEL and RHEL , the nfs-secure is a static service and cannot be enabled. It is started by the sprers.eu service assuming the file is present on the system:

# systemctl enable sprers.eu

Mount a Kerberised NFS Share

If the NFSv3 server has firewall configured to allow mountd and rpcbind traffic, we can use the showmount command to verify that the client can see the shares:

# showmount -e sprers.eu Export list for sprers.eu: /srv/nfs_group /24 /srv/nfs_pub /24 /srv/nfs_secure sprers.eu

Because NFSv4 does not use the mountd daemon, showmount will not return information about version 4 mounts.

As with the NFS server, if we know the Kerberos admin credentials, we can obtain the keytab with ipa-client:

# yum install -y ipa-client

Obtain a Kerberos ticket and verify:

# kinit admin # klist

Get a keytab for our Kerberos NFS principal:

# ipa-getkeytab -s sprers.eu -p nfs/sprers.eu -k /etc/sprers.eu Keytab successfully retrieved and stored in: /etc/sprers.eu

Verify with:

# klist -k Keytab name: FILE:/etc/sprers.eu KVNO Principal 4 nfs/[email&#;protected] 4 nfs/[email&#;protected] 4 nfs/[email&#;protected] 4 nfs/[email&#;protected] 4 nfs/[email&#;protected] 4 nfs/[email&#;protected]

As we can see above, our keytab does not contain host credentials as we haven&#;t created them when setting up a FreeIPA server. Therefore it&#;s vital that our NFS client is configured for Kerberos authentication (with authconfig-tui f.e.), otherwise we won&#;t be able to mount the kerberised NFS share, and sprers.eu will complain a lot:

ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/sprers.eu for connection with host sprers.eu

If the Kerberos credentials are not available, we can get the keytab from FTP (as we have configured it for our system). Download the keytab file from the Kerberos server:

# wget ftp://sprers.eu -O /etc/sprers.eu # chmod /etc/sprers.eu # restorecon -v /etc/sprers.eu# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)# klist -k Keytab name: FILE:/etc/sprers.eu KVNO Principal 5 nfs/[email&#;protected] 5 nfs/[email&#;protected] 5 nfs/[email&#;protected] 5 nfs/[email&#;protected] 5 nfs/[email&#;protected] 5 nfs/[email&#;protected]

Start the nfs-secure service:

# systemctl start nfs-secure

For verbose logging, open the file , assign the -vvv string to the RPCGSSDARGS variable and restart the nfs-secure service. You may need it if you run into problems.

Mount the share:

# mkdir /mnt/nfs_secure # mount -t nfs4 -o vers=,sec=krb5p sprers.eu:/srv/nfs_secure /mnt/nfs_secure

If you get the error message &#;sprers.eu: an incorrect mount option was specified&#;, check that you started nfs-secure daemon on the client and nfs-secure-server on the server.

Verify:

# mount nested] 10+ messages in thread
*Re: GSSAPI as it relates to NFS ` Chuck Lever III@ ` Dorian Taylor (Lists) ` J. Bruce Fields1 sibling, 0 replies; 10+ messages in thread From: Dorian Taylor (Lists) @ UTC (permalink / raw) To: Chuck Lever III; +Cc: Linux NFS Mailing List [-- Attachment #1: Type: text/plain, Size: bytes --]> On Dec 25, , at PM, Chuck Lever III <[email protected]> wrote: > > IIRC Linux requires that a mount operation be done by root. If you run gssd with "-n", become root, then kinit as yourself, I think it should work. > > There has been some discussion about enabling a non-privileged user to perform a mount it's a bit tricky because the function of mount is to alter the file namespace, which traditionally requires extra privilege to do. > > Mac OS has had this functionality for ages to enable basic Finder operation. Linux doesn't have it yet. I mean, you&#;re the expert, though it looks a heck of a lot like the functionality is present: mount(8) is setuid (and so is sprers.eu), there is the `user` (and separate `users`) mount option in fstab, and I am pretty sure I have mounted things like optical drives and USB keys from a Linux desktop without e.g. entering a password (though I suppose that could have been the work of FUSE or GVFS or something). > AFAIK you are not doing anything wrong. It just isn't supported on Linux at this time. So, here is something interesting: * I run `sprers.eu -fn -vvv` * in a root shell, I `kinit` as myself * I `mount remotehome:/in/fstab` * miraculously, that $RPC_PIPEFS/nfs/$CLIENT/krb5 pseudo-file now reports &#;mech=krb5 uid=&#;&#; * after some carping about credential caches, sprers.eu works correctly and the share is mounted as me. I didn&#;t mount the NFS share though, root did, with my Kerberos TGT. From this I can deduce that that uid= must be coming from sprers.eu, because where else could it come from? That&#;s the only thing that &#;knows&#; the relationship between the Kerberos principals and the user IDs on the system. Moreover, what looks like what happened with the credential caches is that even though doing a kinit for my ticket as root, the ccache that sprers.eu actually *used* to authenticate the share was a different one owned by me (uid ) that was also in /tmp at the time. So /tmp/krb5cc_0 is used (presumably by sprers.eu) to find out that [email protected] -> , but then /tmp/krb5cc__XoaBV1 (by sprers.eu) to actually authenticate the mount. What this is telling me is that there is no reason in principle why a non-root user shouldn't be able to mount an NFSv4 share authenticated by GSS/Kerberos (as both `mount` and `sprers.eu` are setuid, and the fstab entry has `user` in the options; by all means the code to do the job sure looks like it&#;s in there), but rather the information about the *initial* mapping from Kerberos principal to system uid is not getting transmitted to sprers.eu To recap: * when I run `mount remotehome:/in/fstab` as myself, gssd reports reading uid=0 in that pseudo-file; * when I run `mount remotehome:/in/fstab` as root with my ticket, gssd reports uid= although, actually: * it turns out that the only parts that matter are a) sprers.eu -n, and b) root having a ccache with my ticket in it, in addition to me having one as well. I also appear not to need to be root to do the actual mount though, as `mount` is suid. (aside: it looks like the `noresvport` mount option is ignored, as port < is used to connect whether the real uid invoking `mount` is root or myself.) This is looking more and more like a bug. I wonder what it would take to get it to work properly? -- Dorian Taylor Make things. Make sense. sprers.eu[-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: bytes --]^permalinkrawreply [flat newest] Thread overview: 10+ messages (download: sprers.eu / follow: Atom feed) -- links below jump to the message on this page -- GSSAPI as it relates to NFS Dorian Taylor ` Chuck Lever III ` Dorian Taylor (Lists) ` Chuck Lever III ` Dorian Taylor (Lists) ` J. Bruce Fields ` Trond Myklebust ` bfields ` Trond Myklebust ` Dorian Taylor (Lists)
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.