:: [DNG] NFS+Kerberos on Beowulf
Top Page
Delete this message
Reply to this message
Author: Jackman
Date:  
To: DNG
Subject: [DNG] NFS+Kerberos on Beowulf
Has anyone successfully gotten NFS and Kerberos working together on
Beowulf? I was able to get a working setup going in a fresh Debian Buster
VM in about 10 minutes. On the other hand, I've been working on trying to
get it working on Beowulf for two days without success.

➜ ~ cat /etc/exports
/srv/nfs-test *(rw,no_subtree_check,sec=krb5)

/srv/nfs-test is just a fresh folder. There's nothing fancy about it.

➜ ~ cat /etc/default/nfs-common
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD="yes"

I had to change the 'NEED_GSSD' value to get the gssd service running. I
think (I'd have to check) it was enabled by default on Buster.

➜ ~ mount -t nfs4 storage0:/srv/nfs-test /mnt/test -v
mount.nfs4: timeout set for Sun Feb 14 00:15:18 2021
mount.nfs4: trying text-based options
'vers=4.2,addr=10.1.0.100,clientaddr=10.1.0.100'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: trying text-based options 'addr=10.1.0.100'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: trying 10.1.0.100 prog 100003 vers 3 prot TCP port 2049
mount.nfs4: prog 100005, trying vers=3, prot=17
mount.nfs4: trying 10.1.0.100 prog 100005 vers 3 prot UDP port 53016
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting storage0:/srv/nfs-test

That above mount command is being issued on the same machine as the
kerberos and NFS host. Changing the 'vers' and 'sec' mount options has
little effect, but I'd be happy to post in variations if you think there's
a clue to be had there.

I find this interesting in the logs:

==> syslog <==
Feb 14 00:15:10 storage0 rpc.mountd[30724]: authenticated mount request
from 10.1.0.100:830 for /srv/nfs-test (/srv/nfs-test)


==> kerberos/krb5kdc.log <==
Feb 14 00:16:56 storage0 krb5kdc[30344](info): AS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 10.1.0.100: ISSUE: authtime 1613287016, etypes {rep=18
tkt=18 ses=18}, nfs/storage0.jackman.local@??? for
krbtgt/JACKMAN.LOCAL@???
Feb 14 00:16:56 storage0 krb5kdc[30344](info): TGS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 10.1.0.100: ISSUE: authtime 1613287016, etypes {rep=18
tkt=18 ses=18}, nfs/storage0.jackman.local@??? for
nfs/storage0.jackman.local@???

This very much looks to me like a successful response from Kerberos.

I just can't figure out where the disconnection is.

Thank you!

Andrew Jackman
kd7nyq@???