From: steve <steve@steve-ss.com>
To: whats_up@gmx.net
Cc: linux-nfs@vger.kernel.org
Subject: Re: mount hangs in NFS4+Kerberos setup
Date: Fri, 10 Feb 2012 18:17:30 +0100 [thread overview]
Message-ID: <4F35512A.9050500@steve-ss.com> (raw)
In-Reply-To: <20120210154526.7b504146@little-poseidon>
On 02/10/2012 03:45 PM, whats_up@gmx.net wrote:
> Hi,
>
> I want to setup a file server with NFS4+Kerberos and Debian squeeze for
> clients running Ubuntu 11.10.
>
> What is already working:
> 1) Mount NFS4 on client without krb5 option works. Users are able to
> access files and uids/gids are correct. 2) KDC works. Access from
> client, get tickets, user authentication/change password through pam is
> ok.
>
> Now I want to mount with sec=krb5 but this time the command hangs and
> does not return to shell. See also logs below.
>
> Any hints to fix the issue or to get more helpful debug information are
> welcome.
>
> regards
> knut
>
>
>
>
> === server status ===
>
> Debian Linux squeeze
>
> # uname -a
> Linux tm 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux
Ubuntu 11.10
uname -r
3.0.0-15-generic
Some older kernels do not support strong keys. Try adding:
allow_weak_crypto = true
to the
[libdefaults]
in /etc/krb5.conf
Here it is using the machine principal with arcfour:
Kerberos: AS-REQ nfs/hh3.hh3.site@HH3.SITE from ipv4:192.168.1.3:49650
for krbtgt/HH3.SITE@HH3.SITE
Kerberos: UNKNOWN -- nfs/hh3.hh3.site@HH3.SITE: no such entry found in hdb
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:43041 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:32850 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- HH3$@HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-10T18:00:16 starttime: unset endtime:
2012-02-11T04:00:16 renew till: 2012-02-11T18:00:15
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:41288 for
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-10T18:00:16 starttime:
2012-02-10T18:00:16 endtime: 2012-02-11T04:00:16 renew till:
2012-02-11T18:00:15
Also it's not recommended to use the pseudo-root fsid=0 method for nfs
exports under Linux:
http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
HTH,
Steve
next prev parent reply other threads:[~2012-02-10 17:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 14:45 mount hangs in NFS4+Kerberos setup whats_up
2012-02-10 14:52 ` Sven Geggus
2012-02-10 15:36 ` Andy Adamson
[not found] ` <20120210172554.5e89e364@little-poseidon>
2012-02-10 18:19 ` Andy Adamson
2012-02-13 9:32 ` whats_up
2012-02-10 17:17 ` steve [this message]
2012-02-10 17:41 ` whats_up
2012-02-10 18:07 ` steve
2012-02-10 18:21 ` Daniel Kahn Gillmor
2012-02-10 18:51 ` J. Bruce Fields
2012-02-10 19:06 ` steve
2012-02-10 19:13 ` J. Bruce Fields
2012-02-13 10:01 ` whats_up
2012-02-13 10:51 ` Sven Geggus
2012-02-13 18:50 ` whats_up
2012-02-13 18:55 ` Daniel Kahn Gillmor
2012-02-15 9:57 ` Sven Geggus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F35512A.9050500@steve-ss.com \
--to=steve@steve-ss.com \
--cc=linux-nfs@vger.kernel.org \
--cc=whats_up@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.