Petros Triantafyllidis via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Hi all, > I have a setup with two servers running CenOS 7.6 which I updated > recently to ipa-server-4.6.4-10.el7.centos.6.x86_64. The update > apparently completed successfully and after that I went through the > update of several clients (ipa-client-4.6.4-10.el7.centos.6.x86_64) some > of which export kerberized nfs shares. However, after the upgrade, the > nfs shares are not accessible neither by other clients nor by servers. I > don't know if it's a coincidence, but I can access only shares exported > by a non-upgraded client. > When trying to mount by hand from server (:fidias) with admin > credentials I receive: > > [root@fidias]# mount -t nfs4 -o sec=krb5 medusa:/export/teras /teras > mount.nfs4: access denied by server while mounting medusa:/export/teras > > [root@fidias]# ipa-getkeytab -r -s fidias.geo.auth.gr -p > nfs/medusa.geo.auth.gr -k medusa-nfs.keytab > Failed to parse result: Insufficient access rights > > Failed to get keytab > > [root@fidias]# KRB5_TRACE=/dev/stderr kinit -k -t /etc/krb5.keytab > nfs/medusa.geo.auth.gr > [26055] 1567693076.930983: Resolving unique ccache of type KEYRING > [26055] 1567693076.930984: Getting initial credentials for > nfs/medusa.geo.auth...@geo.ss.lan > [26055] 1567693076.930985: Looked up etypes in keytab: (empty) > [26055] 1567693076.930986: Getting initial credentials for > nfs/medusa.geo.auth...@geo.ss.lan > [26055] 1567693076.930987: Looked up etypes in keytab: (empty) > kinit: Keytab contains no suitable keys for > nfs/medusa.geo.auth...@geo.ss.lan while getting initial credentials What's the kvno and enctypes for the keytab? Do the match that of the service? klist -ekt /path/to/keytab, kvno nfs/medusa.geo.auth.gr Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
