From: Kevin Coffman <kwc@citi.umich.edu>
To: Di Pe <dipeit@gmail.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1
Date: Sat, 17 Apr 2010 08:55:28 -0400 [thread overview]
Message-ID: <u2x4d569c331004170555mbc4ca310pb63e0e083955fc83@mail.gmail.com> (raw)
In-Reply-To: <j2m3b6787961004170054o64f3cb47l38864ca402eb231b-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
I see that you already have "allow_weak_crypto =3D true".
If the NFS server is Linux, debug output from rpc.svcgssd there might
help. If you are only changing the client (and not the server) then a
packet trace would be helpful.
On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <dipeit@gmail.com> wrote:
> Hi,
>
> this looks like an issue with kerberos, but not 100% sure:
>
> ##############
>
>
> I have a working configuration for Kerberized NFSv4 using Active
> Directory 2003 functional level using
> =A0Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 =A0Whe=
n I
> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
> rpc.gssd -fvvvvv shows this error message (Failed to create machine
> krb5 context) and gives me more errros like "gss_create_upcall for ui=
d
> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
> /proc/sys/sunrpc/rpc[nfs]_debug'
>
> handling krb5 upcall
> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org=
'
> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org'
> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@MYDOMAI=
N.ORG'
> Successfully obtained machine credentials for principal
> 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org' stored in ccache
> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271522236
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
> DEBUG: port already set to 2049
> creating context with server nfs-T9a8nxb3NlRDRic5mGcqrdUwMMlcnPbI@public.gmane.org
> WARNING: Failed to create krb5 context for user with uid 0 for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server COMPUTRON.MYDOMAIN.ORG
> doing error downcall
>
>
> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
> works again:
>
> handling krb5 upcall
> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org=
'
> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org'
> Success getting keytab entry for 'nfs/panther5.mydomain.org@MYDOMAIN.=
ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server computron.mydomain.org
> creating context with server nfs-rgSBCdXwyOrciAkCgRUzx7R8R3SVtaJk@public.gmane.org
> DEBUG: serialize_krb5_ctx: lucid version!
> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and leng=
th 8
> doing downcall
>
>
> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
> not help either. executing
> mount -t nfs4 -o rsize=3D65536,wsize=3D65536,sec=3Dkrb5 computron:/tm=
p_iscsi tmp_iscsi
> gives me the very some error message
>
> after that I tried to install the rpm package of krb5 1.8.1 and also
> 1.8.1 straight from source. I am always getting the same error messag=
e
> "Failed to create krb5 context"
>
>> cat /etc/krb5.conf
> [libdefaults]
> =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG
> =A0 =A0 =A0 =A0clockskew =3D 300
> =A0 =A0 =A0 =A0allow_weak_crypto =3D true
> =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#kdc_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ap_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#safe_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ccache_type =3D 3
> =A0 =A0 =A0 =A0#pkinit_eku_checking =3D kpServerAuth
>
>>cat idmapd.conf
> [General]
> Verbosity =3D 0
> Pipefs-Directory =3D /var/lib/nfs/rpc_pipefs
> Domain =3D mydomain.org
> Local-Realm =3D MYDOMAIN.ORG
>
>> klist -k -e -t
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp =A0 =A0 =A0 =A0 Principal
> ---- ----------------- ----------------------------------------------=
----------
> =A0 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org (DES
> cbc mode with CRC-32)
>
>
> Thanks for your help
>
next prev parent reply other threads:[~2010-04-17 12:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d@mail.gmail.com>
[not found] ` <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 7:54 ` cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 Di Pe
[not found] ` <j2m3b6787961004170054o64f3cb47l38864ca402eb231b-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 12:55 ` Kevin Coffman [this message]
[not found] ` <u2x4d569c331004170555mbc4ca310pb63e0e083955fc83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 14:43 ` Di Pe
2010-04-17 15:10 ` Jeff Layton
2010-04-20 0:37 ` Di Pe
2010-04-20 13:19 ` Kevin Coffman
2010-04-21 0:19 ` Di Pe
[not found] ` <j2y3b6787961004201719h6d3a7a6nea8f9d6e664a1cbc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-21 3:02 ` Kevin Coffman
2010-04-21 13:32 ` Di Pe
2010-04-21 13:45 ` Kevin Coffman
2010-04-20 14:13 ` Jeff Layton
2011-03-28 20:26 ` Olga Kornievskaia
2011-03-28 20:29 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=u2x4d569c331004170555mbc4ca310pb63e0e083955fc83@mail.gmail.com \
--to=kwc@citi.umich.edu \
--cc=dipeit@gmail.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).