An IPA server providing DNS, NTP and Kerberos auth to two of my lab servers, when tried to mount a Kerberised NFS share, I am getting this error:
mount.nfs: access denied by server while mounting
DNS, NTP stratum and User Auth via Kerberos works fine, only NFS shares are not getting mounted.
On NFS server:
[root@server5 secureshare]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server5.example.com@EXAMPLE.COM
3 host/server5.example.com@EXAMPLE.COM
3 nfs/server5.example.com@EXAMPLE.COM
3 nfs/server5.example.com@EXAMPLE.COM
[root@server5 secureshare]# klist -l
Principal name Cache name
-------------- ----------
admin@EXAMPLE.COM KEYRING:persistent:0:0
On Client:
[root@server6 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/server6.example.com@EXAMPLE.COM
4 host/server6.example.com@EXAMPLE.COM
3 nfs/server6.example.com@EXAMPLE.COM
3 nfs/server6.example.com@EXAMPLE.COM
[root@server6 ~]# klist -l
Principal name Cache name
-------------- ----------
host/server6.example.com@EXAMP KEYRING:persistent:0:krb_ccache_9N4UHQt (Expired)
admin@EXAMPLE.COM KEYRING:persistent:0:krb_ccache_h4clFv7
[root@server6 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*labipa.example. 139.59.50.38 3 u 56 128 177 0.316 -773.02 31.477
LOCAL(0) .LOCL. 5 l 266 64 360 0.000 0.000 0.000
On IPA server, I see these errors in krb5kdc logs for both nodes:
Mar 08 13:53:07 labipa.example.com krb5kdc[2322](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.4.151: NEEDED_PREAUTH: host/server6.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
What could possibly lead to this error. nfs-secure service is also running on both nodes.
Best Answer
Found it, ntpd was not synced properly on the IPA server, I had to comment out a few lines:
And had to make sure, it uses the ntp pool provided by Centos, after that the stratum on IPA changed to 2, and on my servers to 3.
And it got mounted with no issues whatsoever: