Hello Again, Please disregard this request for help as being persistent has allowed me to fix my problem. I needed to rebuild the following packages to get nfs mounting working.
nfs-utils krb5 gssproxy cyrus-sasl Once these were built to recognise each other, my problem disappeared. Thanks for your time. Chris On Tue, May 23, 2023 at 8:30 PM Chris Gorman <chrisjohgor...@gmail.com> wrote: > > Hello list, > > I am trying to build a linux from scratch system with nfs4 and > kerberos. Somewhere along the lines I have deviated from what distros > like arch linux have done as I can't mount an nfs share with anything > but -o sec=sys. I have tried to follow arch's build scripts for > nfs-utils-2.6.3 and gssproxy-0.9.1. Both are installed and working as > far as I can tell. I may yet need to rebuild a package due to > circular dependencies. I don't know if this is my problem, or if it > lies elsewhere. > > I have successfully set up a krb5 server on one of my arch systems, > but want to have the service running on LFS. > > So I have two machines at the moment, server and client at domain > example.com with realm EXAMPLE.COM. The client is an arch linux > system and was the previous server. I could get nfs shares mounted > when I had the arch system as the server. I can no longer mount > shares as when using the LFS machine as the server. > > I have tried turning on nfs debugging with rpcdebug and the attached > files are the relevant output from journalctl. The client's log is > attached as client.log and the server's log is server.log. The logs > are logs of a mount call from the client to the server. > > sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs > > This call produces the following output. > > mount.nfs4: mount(2): Permission denied > mount.nfs4: mount(2): Permission denied > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting server.example.com:/home > mount.nfs4: timeout set for Tue May 23 19:03:05 2023 > mount.nfs4: trying text-based options > 'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2' > mount.nfs4: trying text-based options > 'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2' > mount.nfs4: trying text-based options > 'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2' > > My kerberos information follows > > Client's krb5.conf > ----------------------- > [libdefaults] > default_realm = EXAMPLE.COM > encrypt = true > > [realms] > EXAMPLE.COM = { > admin_server = server.example.com > kdc = server.example.com > > pkinit_anchors = FILE:/etc/krb5/cacert.pem > pkinit_identity = > FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > [logging] > kdc = SYSLOG:NOTICE > admin_server = SYSLOG:NOTICE > default = SYSLOG:NOTICE > > Server's krb5.conf > ------------------------ > [libdefaults] > default_realm = EXAMPLE.COM > encrypt = true > > [realms] > EXAMPLE.COM = { > admin_server = server.example.com > kdc = server.example.com > > kdc_tcp_ports = 88 > allow_pkinit = yes > pkinit_identity = > FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem > pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > [logging] > kdc = SYSLOG:NOTICE > admin_server = SYSLOG:NOTICE > default = SYSLOG:NOTICE > > Server's kdc.conf > ----------------------- > [kdcdefaults] > kdc_listen = 88 > kdc_tcp_listen = 88 > spake_preauth_kdc_challenge = edwards25519 > > [realms] > EXAMPLE.COM = { > database_name = /var/lib/krb5kdc/principal > acl_file = /var/lib/krb5kdc/kadm5.acl > key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM > kdc_listen = 88 > kdc_tcp_listen = 88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > } > > Client's keytab > ------------------- > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 host/server.example....@example.com > 3 host/server.example....@example.com > 3 nfs/server.example....@example.com > 3 nfs/server.example....@example.com > 3 nfs/client.example....@example.com > 3 nfs/client.example....@example.com > > /etc/resolv.conf > -------------- > domain example.com > nameserver 192.168.0.1 > nameserver 8.8.8.8 > > /etc/hosts > ------------- > 127.0.0.1 localhost.localdomain localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > If someone has a moment, could you look at the logs and tell me if > anything jumps out at you as my problem? > > Thanks in advance, > > Chris ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos