I'm trying to do an NFSv4 user mount of a laptop (spigot, 21.10) to a server (deuce, 20.04 LTS) with Kerberos and for some reason rpc.gssd can't see my credentials cache. Note that this is 100% a client-side problem as the NFS server works fine already with a Mac client.
In my /etc/fstab on the laptop, I have the following:
deuce:/home/dorian /net/dorian nfs4 sec=krb5p,soft,user,noauto 0 0
When I try to mount that as me:
dorian@spigot:~$ mount -t nfs4 -vvvv deuce:/home/dorian
mount.nfs4: timeout set for Sat Dec 18 10:41:06 2021
mount.nfs4: trying text-based options 'sec=krb5p,soft,vers=4.2,addr=172.16.0.254,clientaddr=172.16.0.19'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting deuce:/home/dorian
rpc.gssd -f -vvv disgorges the following:
handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt12)
krb5_use_machine_creds: uid 0 tgtname (null)
Full hostname for 'deuce.office.srs.biz' is 'deuce.office.srs.biz'
Full hostname for 'spigot' is 'spigot'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for '[email protected]'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for '[email protected]'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'root/[email protected]'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'nfs/[email protected]'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'host/[email protected]'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'SPIGOT$@'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'root/spigot@'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'nfs/spigot@'
Key table file '/etc/krb5.keytab' not found while getting keytab entry for 'host/spigot@'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
ERROR: Key table file '/etc/krb5.keytab' not found while beginning keytab scan for keytab 'FILE:/etc/krb5.keytab'
ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host deuce.office.srs.biz
ERROR: No credentials found for connection to server deuce.office.srs.biz
doing error downcall
(Mainly this is whining about the lack of a keytab; if the keytab was present, it would instead whine about there being no principals in it.)
In other words, it doesn't even try to read the Kerberos ccache. Indeed it says uid=0 which makes sense because rpc.gssd is indeed run as root. But the source of gssd_proc.c suggests it's supposed to drop to the calling user before attempting to look for the credential cache. It doesn't, however, look like it actually does this. Rather, it is supposed to get the uid from a magic file in that weird rpc_pipefs mount, and if I strace rpc.gssd -f -vvv it I can see that the value in that voodoo RPC file is mech=krb5 uid=0 service=*…, so whatever's supposed to set that to my user's uid isn't doing it.
(Worth noting that based on the source, that the attempt to use a service principal is triggered by the combination of a service= being present in that pipefs file along with uid=0.)
So my question is: what is responsible for setting the contents of that file (/run/rpc_pipefs/nfs/$CLIENT/krb5), and what incantation do I need to intone in order to make it say the right thing?
