Re: Failed to create machine krb5 context with any credentials cache for server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello.

Thank you Jeff.

I could run kinit and got TGT of nfs/nfsserv.localdomain
However, mountig was failed again.


My KDC working on NFS server (FreeBSD 8.0).
Version is Heimdal 1.1.0.
======================================================================
nfsserv# /usr/libexec/kdc --version
kdc (Heimdal 1.1.0)
Copyright 1995-2008 Kungliga Tekniska H▒gskolan
Send bug-reports to heimdal-bugs@xxxxxxx
======================================================================


When I run rpc.gssd with -n flag, error output of rpc.gssd and
output of klist changed.
(but I cannot mount yet.)

Output of klist on client.
======================================================================
[root@fedoravm ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/fedoravm.localdomain@NWBOOT

Valid starting     Expires            Service principal
06/21/10 09:13:18  06/22/10 09:13:18  krbtgt/NWBOOT@NWBOOT
       renew until 06/28/10 09:13:18
06/21/10 09:14:41  06/22/10 09:13:18  nfs/nfsserv.localdomain@NWBOOT
       renew until 06/28/10 09:13:18
======================================================================

Result of mount.
======================================================================
[root@fedoravm ~]# mount -v -t nfs nfsserv.localdomain:/export/work
/mnt/nfs/ -o sec=krb5,vers=3
mount.nfs: timeout set for Mon Jun 21 10:21:56 2010
mount.nfs: trying text-based options
'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100003 vers 3
prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100005 vers 3
prot UDP port 818
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting
nfsserv.localdomain:/export/work
======================================================================


Error output of rpc.gssd
======================================================================
creating context using fsuid 0 (save_uid 0)
creating tcp client for server nfsserv.localdomain
DEBUG: port already set to 2049
creating context with server nfs@xxxxxxxxxxxxxxxxxxx
WARNING: Failed to create krb5 context for user with uid 0 for server
nfsserv.localdomain
WARNING: Failed to create krb5 context for user with uid 0 for server
nfsserv.localdomain
doing error downcall
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt58
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt57
======================================================================

It seems that I cannot get permisson to accsess filesystems
 by root (uid 0).
Do I miss some necessary settings?

Settings for Kerberos is follow.

/etc/krb5.conf on server
======================================================================
nfsserv# cat /etc/krb5.conf
[libdefaults]
       default_realm = NWBOOT
[realms]
       NWBOOT = {
               kdc = nfsserv.localdomain
               admin_server = nfsserv.localdomain
               kpasswd_server = nfsserv.localdomain
       }
[domain_realm]
       nfsserv.localdomain = NWBOOT
       .nfsserv.localdomain = NWBOOT
       localdomain = NWBOOT
       .localdomain = NWBOOT
[logging]
       kdc = FILE:/var/log/krb5kdc.log
       admin_server = FILE:/var/log/kadmin.log
       default = FILE:/var/log/krb5lib.log
======================================================================

/etc/krb5.conf on client
======================================================================
[root@fedoravm ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 ccache_type = 4
 allow_weak_crypto=true

[libdefaults]
 default_realm = NWBOOT
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 NWBOOT = {
 kdc = nfsserv.localdomain
 admin_server = nfsserv.localdomain
 kpasswd_server = nfsserv.localdomain
 default_domain = localdomain
 }

[domain_realm]
 .localdomain = NWBOOT
 localdomain = NWBOOT
 .nfsserv.localdomain = NWBOOT
 nfsserv.localdomain = NWBOOT
======================================================================


Thanks.

Jeff Layton さんは書きました:
>
> On Fri, 18 Jun 2010 07:27:18 +0900
> yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>
>> Hello.
>>
>> I have been trying to set up kerberized nfsv3 server and clients over IPv6
>> network, but run into a few problems.
>>
>> When I try to mount NFS share, an error "permission denied." occured and
>> failed to mount.
>>
>> My server is FreeBSD8. My client is Fedora 13.
>> Without Kerberos, I can mount NFS share.
>>
>> Output of mount command is follow
>> =============================================================================================
>> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
>> sec=krb5,vers=3 -v
>> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
>> mount.nfs: trying text-based options
>> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>> mount.nfs: prog 100003, trying vers=3, prot=6
>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
>> port 2049
>> mount.nfs: prog 100005, trying vers=3, prot=17
>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
>> port 818
>> mount.nfs: mount(2): Permission denied
>> mount.nfs: access denied by server while mounting
>> nfsserv.localdomain:/export/work
>> ==============================================================================================
>>
>> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
>> its IPv6 address.
>>
>>
>> I run rpc.gssd with -vvvvv options, and I got following warnings.
>> ==============================================================================================
>> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>> WARNING: Failed to create krb5 context for user with uid 0 for server
>> nfsserv.localdomain
>> WARNING: Failed to create machine krb5 context with credentials cache
>> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
>> WARNING: Failed to create machine krb5 context with any credentials
>> cache for server nfsserv.localdomain
>> doing error downcall
>> ==============================================================================================
>>
>> It seems that rpc.gssd could not create credentials for nfsserver.
>> However, I run kinit correctly on client.
>>
>> My kinit and klist results are follow.
>> ==============================================================================================
>> [root@fedoravm]# kinit root
>> Password for root@NWBOOT:
>> [root@fedoravm]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: root@NWBOOT
>>
>> Valid starting     Expires            Service principal
>> 06/15/10 16:53:22  06/16/10 16:53:15  krbtgt/NWBOOT@NWBOOT
>>       renew until 06/22/10 16:53:15
>> ==============================================================================================
>>
>> I read following page and added root keytab to client, but nothing changed.
>>  http://www.mail-archive.com/linux-nfs@xxxxxxxxxxxxxxx/msg01360.html
>>
>> My Client Keytab:
>> ==============================================================================================
>> [root@fedoravm]# ktutil
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  list -e
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>  1    1          nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> CRC-32)
>>  2    1         root/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> CRC-32)
>>  3    1         host/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> CRC-32)
>> ==============================================================================================
>>
>> My Server Keytab:
>> ==============================================================================================
>> nfsserv# ktutil list
>> FILE:/etc/krb5.keytab:
>>
>> Vno  Type         Principal
>>  1  des-cbc-crc  nfs/nfsserv.localdomain@NWBOOT
>>  1  des-cbc-crc  root/nfsserv.localdomain@NWBOOT
>>  1  des-cbc-crc  host/nfsserv.localdomain@NWBOOT
>> ==============================================================================================
>>
>>
>> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
>> I'm not sure it works or not.
>> Does rpc.gssd works on IPv6 enviromnent?
>>
>> Can anybody give me any hints or suggestions?
>>
>
> It should work. If you run something like:
>
> # kinit -k nfs/fedoravm.localdomain
>
> ...does that get you a TGT? What kind of KDC is this?
>
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux