From: "J. Bruce Fields" <bfields@fieldses.org>
To: Guntsche Michael <mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Kerberos authentication Problem with nfs3/4
Date: Mon, 20 Oct 2008 14:48:00 -0400 [thread overview]
Message-ID: <20081020184800.GB25796@fieldses.org> (raw)
In-Reply-To: <23D48171-03B8-4E14-B56C-081CF004D625-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
On Sat, Oct 18, 2008 at 02:57:08PM +0200, Guntsche Michael wrote:
> I had my kerberised NFS4 and NFS3 setup running in test mode up to the
> end of April.
> After seeing that there have been changes made to the recent code to
> make NFS3+Kerberos working without sec=sys I tried to mount my exports
> again with kerberos auth enabled.
>
> But for some reason the setup is no longer working. My KDC has not
> changed at all, and I did not change a thing in my NFS config as well.
>
> My current setup:
> Server running 2.6.27
> nfs-utils 1.1.3 from debian.
I think the blame is actually due to libnfsidmap. If you downgrade
that, does it work again?
Alternatively, it could probably also be fixed with changes to your
/etc/idmapd.conf or with the latest libnfsidmap from
git://git.linux-nfs.org/projects/kwc/libnfsidmap.git.
--b.
>
> klist -k from the server:
> =========================
>
> ---
> --------------------------------------------------------------------------
> 3 nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
> 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/
> sha1)
> 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
> 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/
> sha1)
> 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32)
>
>
> For testing purposes I tried mounting the export from the server itself
> which also did not work.
>
>
> exports:
> ========
>
> /srv/nfs4
> *(sec=krb5:sys,rw,async,fsid=0,insecure,crossmnt,no_subtree_check)
> /srv/nfs4/media
> *(sec=krb5:sys,rw,async,insecure,crossmnt,no_subtree_check)
>
>
> Mount command from the server to itself (sec=sys works):
> ========================================================
>
> mount -t nfs4 -osec=krb5 gibson:/media/ /mnt
>
>
> rpc.gssd -vv -f:
> ================
>
> beginning poll
> handling krb5 upcall
> Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
> Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
> Key table entry not found while getting keytab entry for
> 'root/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> Success getting keytab entry for 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> Successfully obtained machine credentials for principal
> 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' stored in ccache
> 'FILE:/tmp/krb5cc_machine_COMSICK.AT'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_COMSICK.AT' are good
> until 1224370141
> using FILE:/tmp/krb5cc_machine_COMSICK.AT as credentials cache for
> machine creds
> using environment variable to select krb5 ccache FILE:/tmp/
> krb5cc_machine_COMSICK.AT
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server gibson.comsick.at
> creating context with server nfs-F/bOXVQdVXiG9iZHpwcNGF6hYfS7NtTn@public.gmane.org
> WARNING: Failed to create krb5 context for user with uid 0 for server
> gibson.comsick.at
> WARNING: Failed to create krb5 context for user with uid 0 with
> credentials cache FILE:/tmp/krb5cc_machine_COMSICK.AT for server
> gibson.comsick.at
> WARNING: Failed to create krb5 context for user with uid 0 with any
> credentials cache for server gibson.comsick.at
> doing error downcall
> Failed to write error downcall!
> destroying client clntbe
> destroying client clntbd
>
>
> rpc.svcgsdd -vvf:
> =================
>
> leaving poll
> handling null request
> sname = nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org
> WARNING: get_ids: failed to map name 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org'
> to uid/gid: Invalid argument
> sending null reply
> writing message: \x
> \x608201fb06092a864886f71201020201006e8201ea308201e6a003020105a10302010e
> a20703050020000000a3820116618201123082010ea003020105a10c1b0a434f4d5349434b2e4154a2233021a003020103a11a30181b036e66731b11676962736f6e2e636f6d7369636b2e6174a381d33081d0a003020101a103020103a281c30481c02e9b04122fe2e7937374adb7e455e90285dc15d51bcfbe4898a7fba45ea1026d4ce1620646c7dd3286b9878fa7a4f8f31922879ffb70e6ba6c726e9685aad92fd7c19264e1f98364b04d7add847749d655c30a11d15f7d7297f77a9e8c8d4c1d20d08e3747c098eaf18627802cf878955ef5ccec35fe6505d86f15068dee067795ee5909a1a16705873981838b56423023668ba5a291e9281ae41ec4b82d343918a20046e8e7df62bf50b337f528d109fa410e4f6eff378060bac51a50902789a481b63081b3a003020101a281ab0481a855ca1c7e0a3ac10779318f985d3bbb0ef843bd01601019226611c1e6817b461002be334966b1dcc1dc2aaaeb70269b50fdaa6941fc3d898cda478b17b9080b3340f9818470bd7d9bd21fbad3586f422551eff5be7a582cc1a04633
8a4f47a228d17967c623165415059297e0b1966baa303ee37c51d949b27c5af830bbd579ddbed86d06653b4bd74a9601f83cf61fb730bd5275ddc48b9740734d07afe20344681cbaa3e0f5287a
> 2147483647 131072 0 \x \x
> finished handling null request
> entering poll
>
> the mount command returns with
>
> mount.nfs4: access denied by server while mounting gibson:/media/
>
> I tried downgrading the kerberos server and also the nfs-utils version. I
> also tried it with an older kernel version (2.6.25) but the result was
> the same. All other kerberos stuff (ssh, imap) is working so I think it
> has something to to with the nfs setup here.
>
>
>
> As you can see the nfs entry is there too.
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-10-20 18:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-18 12:57 Kerberos authentication Problem with nfs3/4 Guntsche Michael
[not found] ` <23D48171-03B8-4E14-B56C-081CF004D625-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-20 18:48 ` J. Bruce Fields [this message]
[not found] <20081018153037.GA27982@fieldses.org>
2008-10-18 15:59 ` Guntsche Michael
[not found] ` <14393409-84DC-42C1-9680-32A2B81A27BA-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-18 17:46 ` Guntsche Michael
[not found] ` <28F249B0-91A5-4EA5-A12E-F6258B240EDB-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-10-19 19:50 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081020184800.GB25796@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox