LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

November 2005

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS November 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL 4.1 NFS problems
From:	Ken Teh <[log in to unmask]>
Reply To:	Ken Teh <[log in to unmask]>
Date:	Fri, 11 Nov 2005 18:37:10 -0600
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (118 lines)

Hi Connie,

I've finally got it working.  It has nothing to do with the firewall  The 
iptables service is stopped.  The problem is a lot more complicated; I don't
fully understand what is going on.  But, for what it is worth, I will try to
list what I did.

First, I need the flag SECURE_NFS=no in /etc/sysconfig/nfs.  Incidentally,
the file is not in the distribution and must be created.  This turns off the
rpcgssd and rpcsvcgssd services.  Switching them off via chkconfig is no
good because the nfs service will turn them on.  rpcidmapd must be
configured and enabled.

I tried running the rpc gss services manually but they failed.  The error
message was they could not find the key nfs/<host>@<realm> even though I
have it defined in my krb5.keytab file.  I believe this is specific to the
way my realm is defined.  Here at Argonne all employees have a domain ID
defined the lab-wide Windows Active Directory. In other words, all of us
have a principal <user>@ANL.GOV.  For purposes of authentication, I define
my default realm in krb5.conf as ANL.GOV.  However, machines and services
are defined in our Windows child domain which in my case is PHY.ANL.GOV.  I
believe this is the reason why these services cannot find the nfs service
principal.  So, bottom line is:  unless I can redefine the realm for the rpc
gss services, I need to switch them off.  In any case, I don't care about
auth_gss for nfs so I really don't need them.

You don't need a portmap or mountd allow in /etc/hosts.allow if it's an
NFSv4 client mounting something from a NFSv4 server.  But, you will need to
allow mountd if you try to mount an NFSv4 exported fs on a NFSv3 client.
To cover both cases, hosts.allow should have

    portmap mountd: <client-list>

The portmap allows things like 'rpcinfo -p <NFSv4 server>' while the mountd
allows mounts and 'showmount -e <NFSv4 server>'.  /etc/exports must specify
fsid=0 for an exported filesystem.  That is,

    /export <nfs-client>(rw,sync,fsid=0,...)

NFSv4 clients mount so:

    mount -t nfs4 server:/ /mnt

while NFSv3 clients mount so:

    mount -t nfs server:/export /mnt

I tried removing it, but then only NFSv3 clients can mount.  NFSv4 clients
cannot.  Specifying fsid=0 means you have to use the NFSv4 pseudo-filesystem.  
I'm still playing around with this one.  

Finally, and this one is a complete mystery to me.  You need to restart
rpcidmapd if you restart portmap and/or nfs.  After I discovered this, I
could reliably mount my NFSv4 exports.  So, when in doubt, always do

    service portmap restart
    service nfs restart
    service rpcidmapd restart

in this order.  If there are folks who have more experience and/or
understand this at a deeper level, I'd like to a read a short synopsis on
how and why.

Ken

On Fri, 11 Nov 2005, Connie Sieh wrote:

> Ken,
> 
> I assume you poked the proper holes in the firewall assuming the firewall 
> is on.  
> 
> -Connie Sieh
> 
> On Fri, 11 Nov 2005, 
> Ken Teh wrote:
> 
> > I'm having problems getting NFS to work on SL 4.1.  I've followed the
> > recipes in the RedHat docs and those I found on the web, but no cigar!
> > 
> > I've left rpc.idmapd running with the Domain parameter set to our DNS domain
> > on both the server and client side.  On the server side, I've turned off
> > rpc.gssd and rpc.svcgssd.  The exports file has the line
> > 
> > /h *.phy.anl.gov(rw,sync,fsid=0,insecure,no_subtree_check)
> > 
> > On the client side, the nfslock service is running.  I mount the system so
> > 
> > mount -rvt nfs server.phy.anl.gov:/h /mnt
> > 
> > The client says:
> > mount: RPC: Authentication error; why = Failed (unspecified error)
> > 
> > The server log says:
> > ... mountd: request from unauthorized host
> > 
> > I specify the client explicitly in /etc/hosts.allow
> > portmap: .phy.anl.gov
> > rpc.mountd: <client-ip>
> > 
> > Next, I try
> > 
> > mount -rvt nfs4 server.phy.anl.gov:/h /mnt
> > 
> > The client says:
> > mount: special device server.phy.anl.gov:/h does not exist
> > 
> > Or, it hangs.  The server is silent.  Turning on rpc.gssd and rpc.svcgssd
> > makes no difference.
> > 
> > I'm baffled.  Must be something awfully simple that I've overlooked.  Can
> > someone shed some light?
> > 
> > Ken
> > 
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV