Re: Failed to create machine krb5 context with any credentials cache for server

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeff Layton <jlayton@redhat.com>
To: yagi shinnosuke <linus404@gmail.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Failed to create machine krb5 context with any credentials cache for  server
Date: Fri, 18 Jun 2010 07:24:20 -0400	[thread overview]
Message-ID: <20100618072420.618d7130@corrin.poochiereds.net> (raw)
In-Reply-To: <AANLkTilsxbQrLAEwypOGgL72ePRNM7v5lm4H56HtrhGR-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>

On Fri, 18 Jun 2010 07:27:18 +0900
yagi shinnosuke <linus404@gmail.com> wrote:

> Hello.
> 
> I have been trying to set up kerberized nfsv3 server and clients over IPv6
> network, but run into a few problems.
> 
> When I try to mount NFS share, an error "permission denied." occured and
> failed to mount.
> 
> My server is FreeBSD8. My client is Fedora 13.
> Without Kerberos, I can mount NFS share.
> 
> Output of mount command is follow
> =============================================================================================
> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
> sec=krb5,vers=3 -v
> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
> mount.nfs: trying text-based options
> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
> mount.nfs: prog 100003, trying vers=3, prot=6
> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
> port 2049
> mount.nfs: prog 100005, trying vers=3, prot=17
> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
> port 818
> mount.nfs: mount(2): Permission denied
> mount.nfs: access denied by server while mounting
> nfsserv.localdomain:/export/work
> ==============================================================================================
> 
> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
> its IPv6 address.
> 
> 
> I run rpc.gssd with -vvvvv options, and I got following warnings.
> ==============================================================================================
> creating context with server nfs-m9Topm0561QB9AHHLWeGtNQXobZC6xk2@public.gmane.org
> WARNING: Failed to create krb5 context for user with uid 0 for server
> nfsserv.localdomain
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server nfsserv.localdomain
> doing error downcall
> ==============================================================================================
> 
> It seems that rpc.gssd could not create credentials for nfsserver.
> However, I run kinit correctly on client.
> 
> My kinit and klist results are follow.
> ==============================================================================================
> [root@fedoravm]# kinit root
> Password for root@NWBOOT:
> [root@fedoravm]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root@NWBOOT
> 
> Valid starting     Expires            Service principal
> 06/15/10 16:53:22  06/16/10 16:53:15  krbtgt/NWBOOT@NWBOOT
>        renew until 06/22/10 16:53:15
> ==============================================================================================
> 
> I read following page and added root keytab to client, but nothing changed.
>  http://www.mail-archive.com/linux-nfs@vger.kernel.org/msg01360.html
> 
> My Client Keytab:
> ==============================================================================================
> [root@fedoravm]# ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list -e
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>   1    1          nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
> CRC-32)
>   2    1         root/fedoravm.localdomain@NWBOOT (DES cbc mode with
> CRC-32)
>   3    1         host/fedoravm.localdomain@NWBOOT (DES cbc mode with
> CRC-32)
> ==============================================================================================
> 
> My Server Keytab:
> ==============================================================================================
> nfsserv# ktutil list
> FILE:/etc/krb5.keytab:
> 
> Vno  Type         Principal
>  1  des-cbc-crc  nfs/nfsserv.localdomain@NWBOOT
>  1  des-cbc-crc  root/nfsserv.localdomain@NWBOOT
>  1  des-cbc-crc  host/nfsserv.localdomain@NWBOOT
> ==============================================================================================
> 
> 
> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
> I'm not sure it works or not.
> Does rpc.gssd works on IPv6 enviromnent?
> 
> Can anybody give me any hints or suggestions?
> 

It should work. If you run something like:

# kinit -k nfs/fedoravm.localdomain

...does that get you a TGT? What kind of KDC is this?

-- 
Jeff Layton <jlayton@redhat.com>

next prev parent reply	other threads:[~2010-06-18 11:22 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-17 22:27 Failed to create machine krb5 context with any credentials cache for server yagi shinnosuke
     [not found] ` <AANLkTilsxbQrLAEwypOGgL72ePRNM7v5lm4H56HtrhGR-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-06-18 11:24   ` Jeff Layton [this message]
     [not found]     ` <4C1F22D7.1030200@nttcom.co.jp>
     [not found]       ` <4C1F22D7.1030200-o7dWnD6vFTHqq2nvvmkE/A@public.gmane.org>
2010-06-22 14:36         ` yagi shinnosuke
     [not found]           ` <AANLkTinCP_6GT8bqrUPo20PFBY4eCtIvoa0P8lKyiRRG-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-06-23 14:46             ` William A. (Andy) Adamson
2010-06-23 22:05               ` Kevin Coffman
     [not found]                 ` <AANLkTilMP3kdkKVD3PxdqBA6LtE_HwZzoDPazp_blYUM-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-05 15:09                   ` yagi shinnosuke
     [not found]                     ` <AANLkTimwZxJqhUhE1mL4YyH_lz8x_W32LmG_2NU6zrV2-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-06  8:19                       ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100618072420.618d7130@corrin.poochiereds.net \
    --to=jlayton@redhat.com \
    --cc=linus404@gmail.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).