From: "J. Bruce Fields" <bfields@fieldses.org>
To: Guntsche Michael <mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Kerberos authentication Problem with nfs3/4
Date: Mon, 20 Oct 2008 14:48:00 -0400 [thread overview]
Message-ID: <20081020184800.GB25796@fieldses.org> (raw)
In-Reply-To: <23D48171-03B8-4E14-B56C-081CF004D625-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
On Sat, Oct 18, 2008 at 02:57:08PM +0200, Guntsche Michael wrote:
> I had my kerberised NFS4 and NFS3 setup running in test mode up to the
> end of April.
> After seeing that there have been changes made to the recent code to
> make NFS3+Kerberos working without sec=sys I tried to mount my exports
> again with kerberos auth enabled.
>
> But for some reason the setup is no longer working. My KDC has not
> changed at all, and I did not change a thing in my NFS config as well.
>
> My current setup:
> Server running 2.6.27
> nfs-utils 1.1.3 from debian.
I think the blame is actually due to libnfsidmap. If you downgrade
that, does it work again?
Alternatively, it could probably also be fixed with changes to your
/etc/idmapd.conf or with the latest libnfsidmap from
git://git.linux-nfs.org/projects/kwc/libnfsidmap.git.
--b.
>
> klist -k from the server:
> =========================
>
> ---
> --------------------------------------------------------------------------
> 3 nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
> 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/
> sha1)
> 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
> 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/
> sha1)
> 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
>
>
> For testing purposes I tried mounting the export from the server itself
> which also did not work.
>
>
> exports:
> ========
>
> /srv/nfs4
> *(sec=krb5:sys,rw,async,fsid=0,insecure,crossmnt,no_subtree_check)
> /srv/nfs4/media
> *(sec=krb5:sys,rw,async,insecure,crossmnt,no_subtree_check)
>
>
> Mount command from the server to itself (sec=sys works):
> ========================================================
>
> mount -t nfs4 -osec=krb5 gibson:/media/ /mnt
>
>
> rpc.gssd -vv -f:
> ================
>
> beginning poll
> handling krb5 upcall
> Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
> Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
> Key table entry not found while getting keytab entry for
> 'root/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> Success getting keytab entry for 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> Successfully obtained machine credentials for principal
> 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' stored in ccache
> 'FILE:/tmp/krb5cc_machine_COMSICK.AT'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_COMSICK.AT' are good
> until 1224370141
> using FILE:/tmp/krb5cc_machine_COMSICK.AT as credentials cache for
> machine creds
> using environment variable to select krb5 ccache FILE:/tmp/
> krb5cc_machine_COMSICK.AT
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server gibson.comsick.at
> creating context with server nfs-F/bOXVQdVXiG9iZHpwcNGF6hYfS7NtTn@public.gmane.org
> WARNING: Failed to create krb5 context for user with uid 0 for server
> gibson.comsick.at
> WARNING: Failed to create krb5 context for user with uid 0 with
> credentials cache FILE:/tmp/krb5cc_machine_COMSICK.AT for server
> gibson.comsick.at
> WARNING: Failed to create krb5 context for user with uid 0 with any
> credentials cache for server gibson.comsick.at
> doing error downcall
> Failed to write error downcall!
> destroying client clntbe
> destroying client clntbd
>
>
> rpc.svcgsdd -vvf:
> =================
>
> leaving poll
> handling null request
> sname = nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org
> WARNING: get_ids: failed to map name 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> to uid/gid: Invalid argument
> sending null reply
> writing message: \x
> \x608201fb06092a864886f71201020201006e8201ea308201e6a003020105a10302010e
> a20703050020000000a3820116618201123082010ea003020105a10c1b0a434f4d5349434b2e4154a2233021a003020103a11a30181b036e66731b11676962736f6e2e636f6d7369636b2e6174a381d33081d0a003020101a103020103a281c30481c02e9b04122fe2e7937374adb7e455e90285dc15d51bcfbe4898a7fba45ea1026d4ce1620646c7dd3286b9878fa7a4f8f31922879ffb70e6ba6c726e9685aad92fd7c19264e1f98364b04d7add847749d655c30a11d15f7d7297f77a9e8c8d4c1d20d08e3747c098eaf18627802cf878955ef5ccec35fe6505d86f15068dee067795ee5909a1a16705873981838b56423023668ba5a291e9281ae41ec4b82d343918a20046e8e7df62bf50b337f528d109fa410e4f6eff378060bac51a50902789a481b63081b3a003020101a281ab0481a855ca1c7e0a3ac10779318f985d3bbb0ef843bd01601019226611c1e6817b461002be334966b1dcc1dc2aaaeb70269b50fdaa6941fc3d898cda478b17b9080b3340f9818470bd7d9bd21fbad3586f422551eff5be7a582cc1a04633
8a4f47a228d17967c623165415059297e0b1966baa303ee37c51d949b27c5af830bbd579ddbed86d06653b4bd74a9601f83cf61fb730bd5275ddc48b9740734d07afe20344681cbaa3e0f5287a
> 2147483647 131072 0 \x \x
> finished handling null request
> entering poll
>
> the mount command returns with
>
> mount.nfs4: access denied by server while mounting gibson:/media/
>
> I tried downgrading the kerberos server and also the nfs-utils version. I
> also tried it with an older kernel version (2.6.25) but the result was
> the same. All other kerberos stuff (ssh, imap) is working so I think it
> has something to to with the nfs setup here.
>
>
>
> As you can see the nfs entry is there too.
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-10-20 18:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-18 12:57 Kerberos authentication Problem with nfs3/4 Guntsche Michael
[not found] ` <23D48171-03B8-4E14-B56C-081CF004D625-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-20 18:48 ` J. Bruce Fields [this message]
[not found] <20081018153037.GA27982@fieldses.org>
2008-10-18 15:59 ` Guntsche Michael
[not found] ` <14393409-84DC-42C1-9680-32A2B81A27BA-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-18 17:46 ` Guntsche Michael
[not found] ` <28F249B0-91A5-4EA5-A12E-F6258B240EDB-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-19 19:50 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081020184800.GB25796@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.