NFSv4/Kerberos no longer works after SSO adjustment

pixel · January 20, 2021, 2:50pm

Hi@all,

I have adapted the system as described here so that I can use sso externally:

That also worked. After I restarted all servers and clients, all clients (Ubuntu 20.04) can no longer mount the /home via NFSv4.

About the environment. I have adapted the NFS4 server to use Kerberos. The clients joined the domain via ADS join. They get their home via NFSv4 and the remaining data directories via SMB. This is done via PAM when logging in.

<volume user="*" fstype="nfs4" server="srv01.gehr.local" path="/home/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" sec="krb5i" options="rw,soft,_netdev,fsc,noatime,nodev,nosuid">
                <volume fstype="cifs" pgrp="domain users" path="//srv01.gehr.local/Bibliothek" mountpoint="/data01/Bibliothek/" sec="krb5i" cruid="%(USERUID)" options="fsc,cifsacl,iocharset=utf8" />
                <volume fstype="cifs" pgrp="domain users" path="//srv01.gehr.local/Bilder" mountpoint="/data01/Bilder/" sec="krb5i" cruid="%(USERUID)" options="fsc,cifsacl,iocharset=utf8" />
                <volume fstype="cifs" pgrp="domain users" path="//srv01.gehr.local/Buchhaltung" mountpoint="/data01/Buchhaltung/" sec="krb5i" cruid="%(USERUID)" options="fsc,cifsacl,iocharset=utf8">

The local domain that was also used for the installation is gehr.local. The FQHN of the master (also NFSv4) is srv01.gehr.local and has the IP 192.168.24.5.

For the SSO adjustment, ucs-sso.gehr.local was changed to ucs-sso.externaldomain.de.

Can the problem be related to this?

The “rpc-svcgssd” no longer starts on the server:

root@srv01:~# systemctl status rpc-svcgssd.service
● rpc-svcgssd.service - RPC security service for NFS server
   Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; linked; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2021-01-20 15:32:11 CET; 13s ago
  Process: 8753 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS (code=exited, status=1/FAILURE)
      CPU: 3ms

Jan 20 15:32:11 srv01 systemd[1]: Starting RPC security service for NFS server...
Jan 20 15:32:11 srv01 systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1
Jan 20 15:32:11 srv01 systemd[1]: Failed to start RPC security service for NFS server.
Jan 20 15:32:11 srv01 systemd[1]: rpc-svcgssd.service: Unit entered failed state.
Jan 20 15:32:11 srv01 systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.

On the client, when I try to mount the /home, I only get the error:

mount -t nfs4 -o sec=krb5i srv01.gehr.local:/home /home
mount.nfs4: access denied by server while mounting srv01.gehr.local:/home
root@pc002:/home/g.kopf# journalctl -f
-- Logs begin at Wed 2020-10-14 15:50:34 CEST. --

Jan 20 15:29:54 pc002 kernel: NFS4: Couldn't follow remote path

As I said. Before the SSO adjustment, everything was working.

Can anyone help me?

with best
sven

pixel · January 20, 2021, 3:55pm

I was able to solve the problem. I cannot say exactly why this problem occurred with me and how it is related to the SSO customisation.

Perhaps a UCS expert can say something about this.

I had to recreate the Kerberso tickets for the NFS4 server and copy them to the directory. After that, everything worked as before.