[opensuse] Switch off GSS for NFS?
Hello, when switching on NFS to my external NAS I get messages in /var/log/messages : rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on? I do not need it since the network is an internal one. The NAS does not have any gss as far as I can see. BR ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Set NFS_SECURITY_GSS="no" in /etc/sysconfig/nfs -- Later, Darin On Sat, Feb 7, 2015 at 2:16 PM, MarkusGMX <Markus.Egg@gmx.at> wrote:
Hello,
when switching on NFS to my external NAS I get messages in /var/log/messages :
rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at
I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on? I do not need it since the network is an internal one. The NAS does not have any gss as far as I can see.
BR ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I see the same annoying log messages. Setting NFS_SECURITY_GSS="no" in /etc/sysconfig/nfs does not help.Any other suggestions? Cheers, Urs On 02/07/2015 10:32 PM, Darin Perusich wrote:
Set NFS_SECURITY_GSS="no" in /etc/sysconfig/nfs -- Later, Darin
On Sat, Feb 7, 2015 at 2:16 PM, MarkusGMX <Markus.Egg@gmx.at> wrote:
Hello,
when switching on NFS to my external NAS I get messages in /var/log/messages :
rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at
I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on? I do not need it since the network is an internal one. The NAS does not have any gss as far as I can see.
BR ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 07 Feb 2015 20:16:33 +0100 MarkusGMX <Markus.Egg@gmx.at> пишет:
Hello,
when switching on NFS to my external NAS I get messages in /var/log/messages :
rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at
I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on?
Which NFS version are you using?
I do not need it since the network is an internal one. The NAS does not have any gss as far as I can see.
BR ME
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/08/2015 06:30 AM, Andrei Borzenkov wrote:
В Sat, 07 Feb 2015 20:16:33 +0100 MarkusGMX <Markus.Egg@gmx.at> пишет:
Hello,
when switching on NFS to my external NAS I get messages in /var/log/messages :
rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at
I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on?
Which NFS version are you using?
Except of one NFS mount (which is NFS3), we use NFS4. All the rpc.gssd[4742]: ERROR: No credentials found for connection to server XYZ messages, we get, are from NFS4 mounts/servers. We have in /etc/sysconfig/nfs: USE_KERNEL_NFSD_NUMBER="4" NFS_SECURITY_GSS="no" NFS3_SERVER_SUPPORT="yes" NFS4_SUPPORT="yes" NFS_START_SERVICES="yes" NFS4_SERVER_MINOR_VERSION="0" NFS_GSSD_AVOID_DNS="no" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Mon, 9 Feb 2015 11:51:51 +0100 Urs Beyerle <urs.beyerle@env.ethz.ch> пишет:
On 02/08/2015 06:30 AM, Andrei Borzenkov wrote:
В Sat, 07 Feb 2015 20:16:33 +0100 MarkusGMX <Markus.Egg@gmx.at> пишет:
Hello,
when switching on NFS to my external NAS I get messages in /var/log/messages :
rpc.gssd[17127]: ERROR: No credentials found for connection to server NAS.mydom.at rpc.gssd[17127]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host NAS.mydom.at
I did not turn on GSS security in yast when switching on NFS client. So why is gss turned on?
Which NFS version are you using?
Except of one NFS mount (which is NFS3), we use NFS4.
Kerberos support is mandatory for NFSv4. I do not know if it is possible to disable it, but I would not be surprised if not. Try using NFSv3 and auth=sys to avoid attempt to contact GSS.
All the
rpc.gssd[4742]: ERROR: No credentials found for connection to server XYZ
messages, we get, are from NFS4 mounts/servers. We have in /etc/sysconfig/nfs:
USE_KERNEL_NFSD_NUMBER="4" NFS_SECURITY_GSS="no" NFS3_SERVER_SUPPORT="yes" NFS4_SUPPORT="yes" NFS_START_SERVICES="yes" NFS4_SERVER_MINOR_VERSION="0" NFS_GSSD_AVOID_DNS="no"
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Mon, 09 Feb 2015 20:05:12 +0100 buhorojo <buhorojo.lcb@gmail.com> пишет:
On 09/02/15 19:58, Andrei Borzenkov wrote
Kerberos support is mandatory for NFSv4. Really?
For NFS version 4, the RPCSEC_GSS security flavor MUST be used to enable the mandatory security mechanism. Other flavors, such as, AUTH_NONE, AUTH_SYS, and AUTH_DH MAY be implemented as well. and further The Kerberos V5 GSS-API mechanism as described in [RFC1964] MUST be implemented and provide the following security triples. May be explicitly restricting export to AUTH_SYS could help. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/02/15 21:01, Andrei Borzenkov wrote:
В Mon, 09 Feb 2015 20:05:12 +0100 buhorojo <buhorojo.lcb@gmail.com> пишет:
On 09/02/15 19:58, Andrei Borzenkov wrote
Kerberos support is mandatory for NFSv4. Really? For NFS version 4, the RPCSEC_GSS security flavor MUST be used to enable the mandatory security mechanism. Other flavors, such as, AUTH_NONE, AUTH_SYS, and AUTH_DH MAY be implemented as well.
and further
The Kerberos V5 GSS-API mechanism as described in [RFC1964] MUST be implemented and provide the following security triples.
May be explicitly restricting export to AUTH_SYS could help. Maybe that was true in the early days. These days, you use it just like you always did. No need for all that fsid0 bind mounted pseudo root stuff any longer for example. You export it just like you did with nfs3. Maybe the OP should try that. Even though we're AD here, we can still mount stuff on a 13.2 client without krb. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrei Borzenkov -
buhorojo -
Darin Perusich -
MarkusGMX -
Urs Beyerle