Here you go The server is a netapp Thanks On Sat, Apr 17, 2010 at 5:55 AM, Kevin Coffman <kwc@xxxxxxxxxxxxxx> wrote: > I see that you already have "allow_weak_crypto = true". > > If the NFS server is Linux, debug output from rpc.svcgssd there might > help. If you are only changing the client (and not the server) then a > packet trace would be helpful. > > On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <dipeit@xxxxxxxxx> wrote: >> Hi, >> >> this looks like an issue with kerberos, but not 100% sure: >> >> ############## >> >> >> I have a working configuration for Kerberized NFSv4 using Active >> Directory 2003 functional level using >> Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 When I >> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3) >> rpc.gssd -fvvvvv shows this error message (Failed to create machine >> krb5 context) and gives me more errros like "gss_create_upcall for uid >> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" > >> /proc/sys/sunrpc/rpc[nfs]_debug' >> >> handling krb5 upcall >> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org' >> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org' >> Key table entry not found while getting keytab entry for >> 'root/phsgrid-03.mydomain.org@xxxxxxxxxxxx' >> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx' >> Successfully obtained machine credentials for principal >> 'nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx' stored in ccache >> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' >> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are >> good until 1271522236 >> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for >> machine creds >> using environment variable to select krb5 ccache >> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG >> creating context using fsuid 0 (save_uid 0) >> creating tcp client for server COMPUTRON.MYDOMAIN.ORG >> DEBUG: port already set to 2049 >> creating context with server nfs@xxxxxxxxxxxxxxxxxxxxxx >> WARNING: Failed to create krb5 context for user with uid 0 for server >> COMPUTRON.MYDOMAIN.ORG >> WARNING: Failed to create machine krb5 context with credentials cache >> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server >> COMPUTRON.MYDOMAIN.ORG >> WARNING: Failed to create machine krb5 context with any credentials >> cache for server COMPUTRON.MYDOMAIN.ORG >> doing error downcall >> >> >> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything >> works again: >> >> handling krb5 upcall >> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org' >> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org' >> Key table entry not found while getting keytab entry for >> 'root/panther5.mydomain.org@xxxxxxxxxxxx' >> Success getting keytab entry for 'nfs/panther5.mydomain.org@xxxxxxxxxxxx' >> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are >> good until 1271518766 >> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are >> good until 1271518766 >> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for >> machine creds >> using environment variable to select krb5 ccache >> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG >> creating context using fsuid 0 (save_uid 0) >> creating tcp client for server computron.mydomain.org >> creating context with server nfs@xxxxxxxxxxxxxxxxxxxxxx >> DEBUG: serialize_krb5_ctx: lucid version! >> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 >> doing downcall >> >> >> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does >> not help either. executing >> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi >> gives me the very some error message >> >> after that I tried to install the rpm package of krb5 1.8.1 and also >> 1.8.1 straight from source. I am always getting the same error message >> "Failed to create krb5 context" >> >>> cat /etc/krb5.conf >> [libdefaults] >> default_realm = FHCRC.ORG >> clockskew = 300 >> allow_weak_crypto = true >> default_tkt_enctypes = des-cbc-crc >> default_tgs_enctypes = des-cbc-crc >> #default_tkt_enctypes = des-cbc-md5 >> #default_tgs_enctypes = des-cbc-md5 >> #default_tkt_enctypes = rc4-hmac >> #default_tgs_enctypes = rc4-hmac >> #kdc_req_checksum_type = -138 >> #ap_req_checksum_type = -138 >> #safe_checksum_type = -138 >> #ccache_type = 3 >> #pkinit_eku_checking = kpServerAuth >> >>>cat idmapd.conf >> [General] >> Verbosity = 0 >> Pipefs-Directory = /var/lib/nfs/rpc_pipefs >> Domain = mydomain.org >> Local-Realm = MYDOMAIN.ORG >> >>> klist -k -e -t >> Keytab name: WRFILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- -------------------------------------------------------- >> 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx (DES >> cbc mode with CRC-32) >> >> >> Thanks for your help >> > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
