Hello all,
I have a server running Proxmox, on which I have a virtual machine running FreeIPA. I did have this set up running Kerberized NFS, but a while ago, I rebooted the Proxmox host and now I always get "Permission Denied" when trying to mount the NFS server.
To give more detail, the Proxmox server (Debian Based) is running proxmox 5.3-8 (latest version) and is joined to the FreeIPA domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins The NFS server is configured as follows:
# for i in /etc/default/nfs-* /etc/exports; do echo "---- $i"; grep "^[^#]" $i; done ---- /etc/default/nfs-common NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes ---- /etc/default/nfs-kernel-server RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -d all" NEED_SVCGSSD="yes" RPCSVCGSSDOPTS=" -v -v -v" RPCNFSDOPTS=" -d 3" ---- /etc/exports /tank 192.0.0.0/24(rw,sec=sys:krb5:krb5i:krb5p,no_subtree_check,no_root_squash)
The server has keys, too (I have tried refreshing these with `ipa-getkeytab -r -s ipaserver -p nfs/gusteau.darac.org.uk -k /etc/krb5.keytab`)
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
The client is, for example, my laptop running Debian. It, too, is joined to the domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins
It, too, has these keys:
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
And the user has a valid ticket:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: darac@GHIBLI.DARAC.ORG.UK
Valid starting Expires Service principal 03/02/19 19:31:44 04/02/19 19:31:38 krbtgt/GHIBLI.DARAC.ORG.UK@GHIBLI.DARAC.ORG.UK
However, when I try to mount the server:
# mount -v -t nfs4 -o sec=krb5 gusteau.darac.org.uk:/tank mnt mount.nfs4: timeout set for Sun Feb 3 19:34:49 2019 mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.0.2.100,clientaddr=192.0.2.187' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting gusteau.darac.org.uk:/tank
My problem is that I've run out of places to look for errors. I've tried enabling NFS debugging, but I don't see anything obvious there. I've also looking in /var/log/krb5kdc.log on the FreeIPA server, but I don't see any log messages there when the mount is attempted.
Apologies if this isn't the right place to ask about this, but it's one of these questions of "Is it FreeIPA at fault? Is it Kerberos? Is it my setup?" and I've got to start somewhere. Many thanks.
In an attempt to debug this, I tried uninstalling and re-installing ipa-client. Now that errors out with "HTTP response code is 401, not 200". I've definitely got something broken somewhere.
On 03/02/2019 19:43, Darac Marjal via FreeIPA-users wrote:
Hello all,
I have a server running Proxmox, on which I have a virtual machine running FreeIPA. I did have this set up running Kerberized NFS, but a while ago, I rebooted the Proxmox host and now I always get "Permission Denied" when trying to mount the NFS server.
To give more detail, the Proxmox server (Debian Based) is running proxmox 5.3-8 (latest version) and is joined to the FreeIPA domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins The NFS server is configured as follows:
# for i in /etc/default/nfs-* /etc/exports; do echo "---- $i"; grep "^[^#]" $i; done ---- /etc/default/nfs-common NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes ---- /etc/default/nfs-kernel-server RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -d all" NEED_SVCGSSD="yes" RPCSVCGSSDOPTS=" -v -v -v" RPCNFSDOPTS=" -d 3" ---- /etc/exports /tank 192.0.0.0/24(rw,sec=sys:krb5:krb5i:krb5p,no_subtree_check,no_root_squash)
The server has keys, too (I have tried refreshing these with `ipa-getkeytab -r -s ipaserver -p nfs/gusteau.darac.org.uk -k /etc/krb5.keytab`)
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
The client is, for example, my laptop running Debian. It, too, is joined to the domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins
It, too, has these keys:
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
And the user has a valid ticket:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: darac@GHIBLI.DARAC.ORG.UK
Valid starting Expires Service principal 03/02/19 19:31:44 04/02/19 19:31:38 krbtgt/GHIBLI.DARAC.ORG.UK@GHIBLI.DARAC.ORG.UK
However, when I try to mount the server:
# mount -v -t nfs4 -o sec=krb5 gusteau.darac.org.uk:/tank mnt mount.nfs4: timeout set for Sun Feb 3 19:34:49 2019 mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.0.2.100,clientaddr=192.0.2.187' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting gusteau.darac.org.uk:/tank
My problem is that I've run out of places to look for errors. I've tried enabling NFS debugging, but I don't see anything obvious there. I've also looking in /var/log/krb5kdc.log on the FreeIPA server, but I don't see any log messages there when the mount is attempted.
Apologies if this isn't the right place to ask about this, but it's one of these questions of "Is it FreeIPA at fault? Is it Kerberos? Is it my setup?" and I've got to start somewhere. Many thanks.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
OK. I don't know if it was the latest update to the Debian packages, but I've been able to rejoin the domain. Still can't mount the server, though. I may have to find somewhere else that knows about Kerberos, though.
On 05/02/2019 20:33, Darac Marjal via FreeIPA-users wrote:
In an attempt to debug this, I tried uninstalling and re-installing ipa-client. Now that errors out with "HTTP response code is 401, not 200". I've definitely got something broken somewhere.
On 03/02/2019 19:43, Darac Marjal via FreeIPA-users wrote:
Hello all,
I have a server running Proxmox, on which I have a virtual machine running FreeIPA. I did have this set up running Kerberized NFS, but a while ago, I rebooted the Proxmox host and now I always get "Permission Denied" when trying to mount the NFS server.
To give more detail, the Proxmox server (Debian Based) is running proxmox 5.3-8 (latest version) and is joined to the FreeIPA domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins The NFS server is configured as follows:
# for i in /etc/default/nfs-* /etc/exports; do echo "---- $i"; grep "^[^#]" $i; done ---- /etc/default/nfs-common NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes ---- /etc/default/nfs-kernel-server RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -d all" NEED_SVCGSSD="yes" RPCSVCGSSDOPTS=" -v -v -v" RPCNFSDOPTS=" -d 3" ---- /etc/exports /tank 192.0.0.0/24(rw,sec=sys:krb5:krb5i:krb5p,no_subtree_check,no_root_squash)
The server has keys, too (I have tried refreshing these with `ipa-getkeytab -r -s ipaserver -p nfs/gusteau.darac.org.uk -k /etc/krb5.keytab`)
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 host/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 9 nfs/gusteau.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
The client is, for example, my laptop running Debian. It, too, is joined to the domain:
# realm list ghibli.darac.org.uk type: kerberos realm-name: GHIBLI.DARAC.ORG.UK domain-name: ghibli.darac.org.uk configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %U@ghibli.darac.org.uk login-policy: allow-realm-logins
It, too, has these keys:
# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 4 host/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96) 2 nfs/toothless.darac.org.uk@GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
And the user has a valid ticket:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: darac@GHIBLI.DARAC.ORG.UK
Valid starting Expires Service principal 03/02/19 19:31:44 04/02/19 19:31:38 krbtgt/GHIBLI.DARAC.ORG.UK@GHIBLI.DARAC.ORG.UK
However, when I try to mount the server:
# mount -v -t nfs4 -o sec=krb5 gusteau.darac.org.uk:/tank mnt mount.nfs4: timeout set for Sun Feb 3 19:34:49 2019 mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.0.2.100,clientaddr=192.0.2.187' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting gusteau.darac.org.uk:/tank
My problem is that I've run out of places to look for errors. I've tried enabling NFS debugging, but I don't see anything obvious there. I've also looking in /var/log/krb5kdc.log on the FreeIPA server, but I don't see any log messages there when the mount is attempted.
Apologies if this isn't the right place to ask about this, but it's one of these questions of "Is it FreeIPA at fault? Is it Kerberos? Is it my setup?" and I've got to start somewhere. Many thanks.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org