Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 17 Apr 2010 00:54:38 -0700
Di Pe <dipeit@xxxxxxxxx> wrote:

> Hi,
> 
> this looks like an issue with kerberos, but not 100% sure:
> 
> ##############
> 
> 
> I have a working configuration for Kerberized NFSv4 using Active
> Directory 2003 functional level using
>  Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1  When I
> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
> rpc.gssd -fvvvvv shows this error message (Failed to create machine
> krb5 context) and gives me more errros like "gss_create_upcall for uid
> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
> /proc/sys/sunrpc/rpc[nfs]_debug'
> 
> handling krb5 upcall
> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/phsgrid-03.mydomain.org@xxxxxxxxxxxx'
> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx'
> Successfully obtained machine credentials for principal
> 'nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx' stored in ccache
> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271522236
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
> DEBUG: port already set to 2049
> creating context with server nfs@xxxxxxxxxxxxxxxxxxxxxx
> WARNING: Failed to create krb5 context for user with uid 0 for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server COMPUTRON.MYDOMAIN.ORG
> doing error downcall
> 
> 
> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
> works again:
> 
> handling krb5 upcall
> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/panther5.mydomain.org@xxxxxxxxxxxx'
> Success getting keytab entry for 'nfs/panther5.mydomain.org@xxxxxxxxxxxx'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server computron.mydomain.org
> creating context with server nfs@xxxxxxxxxxxxxxxxxxxxxx
> DEBUG: serialize_krb5_ctx: lucid version!
> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
> doing downcall
> 
> 
> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
> not help either. executing
> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
> gives me the very some error message
> 
> after that I tried to install the rpm package of krb5 1.8.1 and also
> 1.8.1 straight from source. I am always getting the same error message
> "Failed to create krb5 context"
> 
> > cat /etc/krb5.conf
> [libdefaults]
>        default_realm = FHCRC.ORG
>        clockskew = 300
>        allow_weak_crypto = true
>        default_tkt_enctypes = des-cbc-crc
>        default_tgs_enctypes = des-cbc-crc
>        #default_tkt_enctypes = des-cbc-md5
>        #default_tgs_enctypes = des-cbc-md5
>        #default_tkt_enctypes = rc4-hmac
>        #default_tgs_enctypes = rc4-hmac
>        #kdc_req_checksum_type = -138
>        #ap_req_checksum_type = -138
>        #safe_checksum_type = -138
>        #ccache_type = 3
>        #pkinit_eku_checking = kpServerAuth
> 
> >cat idmapd.conf
> [General]
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = mydomain.org
> Local-Realm = MYDOMAIN.ORG
> 
> > klist -k -e -t
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>   3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org@xxxxxxxxxxxx (DES
> cbc mode with CRC-32)
> 
> 
> Thanks for your help

Is the new nfs-utils compiled against libtirpc and the old one not? If
so the problem may be that libtirpc wasn't allowing large enough
tickets (AD tickets can be pretty large due to the presence of the PAC).

Recent libtirpc has a patch which seems to fix this problem:

    [PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS

-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux