From: steve <steve@steve-ss.com>
To: whats_up@gmx.net
Cc: linux-nfs@vger.kernel.org
Subject: Re: mount hangs in NFS4+Kerberos setup
Date: Fri, 10 Feb 2012 18:17:30 +0100 [thread overview]
Message-ID: <4F35512A.9050500@steve-ss.com> (raw)
In-Reply-To: <20120210154526.7b504146@little-poseidon>
On 02/10/2012 03:45 PM, whats_up@gmx.net wrote:
> Hi,
>
> I want to setup a file server with NFS4+Kerberos and Debian squeeze for
> clients running Ubuntu 11.10.
>
> What is already working:
> 1) Mount NFS4 on client without krb5 option works. Users are able to
> access files and uids/gids are correct. 2) KDC works. Access from
> client, get tickets, user authentication/change password through pam is
> ok.
>
> Now I want to mount with sec=krb5 but this time the command hangs and
> does not return to shell. See also logs below.
>
> Any hints to fix the issue or to get more helpful debug information are
> welcome.
>
> regards
> knut
>
>
>
>
> === server status ===
>
> Debian Linux squeeze
>
> # uname -a
> Linux tm 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux
Ubuntu 11.10
uname -r
3.0.0-15-generic
Some older kernels do not support strong keys. Try adding:
allow_weak_crypto = true
to the
[libdefaults]
in /etc/krb5.conf
Here it is using the machine principal with arcfour:
Kerberos: AS-REQ nfs/hh3.hh3.site@HH3.SITE from ipv4:192.168.1.3:49650
for krbtgt/HH3.SITE@HH3.SITE
Kerberos: UNKNOWN -- nfs/hh3.hh3.site@HH3.SITE: no such entry found in hdb
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:43041 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:32850 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- HH3$@HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-10T18:00:16 starttime: unset endtime:
2012-02-11T04:00:16 renew till: 2012-02-11T18:00:15
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:41288 for
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-10T18:00:16 starttime:
2012-02-10T18:00:16 endtime: 2012-02-11T04:00:16 renew till:
2012-02-11T18:00:15
Also it's not recommended to use the pseudo-root fsid=0 method for nfs
exports under Linux:
http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
HTH,
Steve
next prev parent reply other threads:[~2012-02-10 17:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 14:45 mount hangs in NFS4+Kerberos setup whats_up
2012-02-10 14:52 ` Sven Geggus
2012-02-10 15:36 ` Andy Adamson
[not found] ` <20120210172554.5e89e364@little-poseidon>
2012-02-10 18:19 ` Andy Adamson
2012-02-13 9:32 ` whats_up
2012-02-10 17:17 ` steve [this message]
2012-02-10 17:41 ` whats_up
2012-02-10 18:07 ` steve
2012-02-10 18:21 ` Daniel Kahn Gillmor
2012-02-10 18:51 ` J. Bruce Fields
2012-02-10 19:06 ` steve
2012-02-10 19:13 ` J. Bruce Fields
2012-02-13 10:01 ` whats_up
2012-02-13 10:51 ` Sven Geggus
2012-02-13 18:50 ` whats_up
2012-02-13 18:55 ` Daniel Kahn Gillmor
2012-02-15 9:57 ` Sven Geggus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F35512A.9050500@steve-ss.com \
--to=steve@steve-ss.com \
--cc=linux-nfs@vger.kernel.org \
--cc=whats_up@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox