[lustre-discuss] Error while Mounting Lustre client with Kerberos

Neeraj Gawali neeraj.gawali at zohocorp.com
Mon Aug 12 23:44:48 PDT 2024 

Hi,



Aurélien we have tried much of this but may be we are somewhat lacking in the flow of commands and encountering errors but these is very much required for our testing deployment purpose if possible it will be very helpful if we have short  screen share call if time permits to get the right flow for our configuration.



Regards,

Neeraj




---- On Mon, 12 Aug 2024 13:45:28 +0530 Neeraj Gawali <neeraj.gawali at zohocorp.com> wrote ---



Hi,



"I apologize for repeating myself earlier. My intent was different. I've followed your instructions carefully this time.(earlier it was not loaded and there were some missing steps but this time i have followed the flow from your source only.)



I've attached the journal output(attached logs.txt), krb5 configuration file, and lsvcg parameters. Could you please review them and suggest necessary configuration changes?"







Regards,

Neeraj











---- On Mon, 12 Aug 2024 13:13:00 +0530 Aurelien Degremont <mailto:adegremont at nvidia.com> wrote ---













> Is this mandatory for kerberos to work



Neerak, I can try to help you, but if you don't read the e-mail I send, it will be useless.



>From my latest e-mail:

>It is mandatory this service is running properly for all the other steps to work.

>Look at the detailed logs to see why this service is not running. Try running it in verbose mode if needed.



So, yes, the service is mandatory on server side, and if it is not running, the first thing is the check for its logs. Please do that.



Aurélien




De : Neeraj Gawali <mailto:neeraj.gawali at zohocorp.com>
 Envoyé : lundi 12 août 2024 08:38
 À : Aurelien Degremont <mailto:adegremont at nvidia.com>
 Cc : Sushrut Bhokre <mailto:sushrut.bs at zohocorp.com>; lustre-discuss <mailto:lustre-discuss at lists.lustre.org>
 Objet : RE: [lustre-discuss] Error while Mounting Lustre client with Kerberos  


External email: Use caution opening links or attachments





Hi,

We have configured lustre storage with the below command

./configure
 --with-zfs --with-o2ib=no --disable-ldiskfs --enable-gss --with-krb5=/usr --enable-crypto=yes

And everything is configured as client also get connected but when we are trying to check the status of lvscgssd it is not starting(sudo systemctl status lsvcgssd).

Is this mandatory for kerberos to work.




Regards
Neeraj,







---- On Thu, 08 Aug 2024 11:06:46 +0530 Neeraj Gawali <mailto:neeraj.gawali at zohocorp.com> wrote ---



Hi,

We actually followed the flow of commands according to the document attached below.

Can you suggest what may be the changes or chance of error that may not  lead to the proper configuration .





---- On Tue, 06 Aug 2024 20:26:32 +0530 Aurelien Degremont <mailto:adegremont at nvidia.com> wrote ---









>And lsvcgssd.services are not running.



It is mandatory this service is running properly for all the other steps to work.

Look at the detailed logs to see why this service is not running. Try running it in verbose mode if needed.



Did you create and deploy the proper keytabs? Verify the 'klist -k' output is correct on each Lustre servers and lustre client.



Then:

Start your lustre servers


Configure the lustre target gss flavor (some lctl commands)


Then mount the client.





See https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.kerberos



Aurélien






De : Sushrut Bhokre <mailto:sushrut.bs at zohocorp.com>
 Envoyé : mardi 6 août 2024 13:33
 À : Aurelien Degremont <mailto:adegremont at nvidia.com>
 Cc : lustre-discuss <mailto:lustre-discuss at lists.lustre.org>; Neeraj Gawali <mailto:neeraj.gawali at zohocorp.com>
 Objet : RE: [lustre-discuss] Error while Mounting Lustre client with Kerberos  


External email: Use caution opening links or attachments





Hi,



We are using Lustre 2.15.5 version.



Our setup is like we want to to use Kerberos With Lustre so we build Lustre from git clone git://http://git.whamcloud.com/fs/lustre-release.git using
 the following ./configure steup with some flagsbelow is the command.

./configure --with-zfs --with-o2ib=no --disable-ldiskfs --enable-gss

and Lustre Clint is configured with the following ./configure step below

./configure --enable-gss --disable-server --enable-client --with-linux=/usr/src/kernels/$(uname -r)

This command because we want Lustre with ZFS  and with Kerberos. Can you Please tell are we correct up till now?



KDC Server:

We have tried to set kdc on a dedicated node and it is functional.





Lustre Storage Server:

Replicated same krb5.conf file from KDC server. but when we are trying to start 

configure it with lustre client but there is a issue in mounting of lustre with kerberos (attached below).
 And lsvcgssd.services are not running.
      


Same goes for client too and we are also not able to mount with kerberos. (Can you also tell is our mount step is correct or not)

mount -t lustre -o mgsnode=192.168.10.25 at tcp,flock,krb5i lustre:/mnt/lustre /mnt/lustre





Regards,

Sushrut Bhokre










---- On Tue, 06 Aug 2024 13:08:51 +0530 Aurelien Degremont <mailto:adegremont at nvidia.com> wrote ---



Hi



In order to help you, it would be great if you give way more detail of your current setup. What is your configuration, component versions, what is your Lustre error message, etc...

How does your ticket look like?



Additionally, there were lots of improvements in Lustre Kerberos support during 2.16 cycle and I would recommend targeting that version (not released yet) for a production deployment. However, testing should still be doable with 2.15. 



Aurélien






De : lustre-discuss <mailto:lustre-discuss-bounces at lists.lustre.org>
 de la part de Neeraj Gawali via lustre-discuss <mailto:lustre-discuss at lists.lustre.org>
 Envoyé : mardi 6 août 2024 07:26
 À : lustre-discuss <mailto:lustre-discuss at lists.lustre.org>
 Cc : Sushrut Bhokre <mailto:sushrut.bs at zohocorp.com>
 Objet : [lustre-discuss] Error while Mounting Lustre client with Kerberos
 


External email: Use caution opening links or attachments







Hii,



Tried configuring kerberos over lustre(built by gss enabled through gitclone repository) but at last while mounting lustre with kerberos there is a issue of keytab file not found.Can anyone
 please look into it for the support if the issue is present.
 
 Kereberos configuration(https://wiki.opensfs.org/images/8/8c/Kerberos_setup_guide.pdf)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240813/c8a7397e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 58889 bytes
Desc: not available
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240813/c8a7397e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.png
Type: image/png
Size: 26616 bytes
Desc: not available
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240813/c8a7397e/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.jpg
Type: image/jpeg
Size: 172449 bytes
Desc: not available
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240813/c8a7397e/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4.jpg
Type: image/jpeg
Size: 61343 bytes
Desc: not available
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20240813/c8a7397e/attachment-0003.jpg>

More information about the lustre-discuss mailing list