Re: Failed to create machine krb5 context with any credentials cache for server

"William A. (Andy) Adamson" <androsadamson@xxxxxxxxx> · Wed, 23 Jun 2010 10:46:23 -0400

I don't think that gssd works with Heimdal.

-->Andy

On Tue, Jun 22, 2010 at 10:36 AM, yagi shinnosuke <linus404@xxxxxxxxx> wrote:
> Hello.
>
> Thank you Jeff.
>
> I could run kinit and got TGT of nfs/nfsserv.localdomain
> However, mountig was failed again.
>
>
> My KDC working on NFS server (FreeBSD 8.0).
> Version is Heimdal 1.1.0.
> ======================================================================
> nfsserv# /usr/libexec/kdc --version
> kdc (Heimdal 1.1.0)
> Copyright 1995-2008 Kungliga Tekniska H▒gskolan
> Send bug-reports to heimdal-bugs@xxxxxxx
> ======================================================================
>
>
> When I run rpc.gssd with -n flag, error output of rpc.gssd and
> output of klist changed.
> (but I cannot mount yet.)
>
> Output of klist on client.
> ======================================================================
> [root@fedoravm ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/fedoravm.localdomain@NWBOOT
>
> Valid starting     Expires            Service principal
> 06/21/10 09:13:18  06/22/10 09:13:18  krbtgt/NWBOOT@NWBOOT
>        renew until 06/28/10 09:13:18
> 06/21/10 09:14:41  06/22/10 09:13:18  nfs/nfsserv.localdomain@NWBOOT
>        renew until 06/28/10 09:13:18
> ======================================================================
>
> Result of mount.
> ======================================================================
> [root@fedoravm ~]# mount -v -t nfs nfsserv.localdomain:/export/work
> /mnt/nfs/ -o sec=krb5,vers=3
> mount.nfs: timeout set for Mon Jun 21 10:21:56 2010
> mount.nfs: trying text-based options
> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
> mount.nfs: prog 100003, trying vers=3, prot=6
> mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100003 vers 3
> prot TCP port 2049
> mount.nfs: prog 100005, trying vers=3, prot=17
> mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100005 vers 3
> prot UDP port 818
> mount.nfs: mount(2): Permission denied
> mount.nfs: access denied by server while mounting
> nfsserv.localdomain:/export/work
> ======================================================================
>
>
> Error output of rpc.gssd
> ======================================================================
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server nfsserv.localdomain
> DEBUG: port already set to 2049
> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
> WARNING: Failed to create krb5 context for user with uid 0 for server
> nfsserv.localdomain
> WARNING: Failed to create krb5 context for user with uid 0 for server
> nfsserv.localdomain
> doing error downcall
> destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt58
> destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt57
> ======================================================================
>
> It seems that I cannot get permisson to accsess filesystems
>  by root (uid 0).
> Do I miss some necessary settings?
>
> Settings for Kerberos is follow.
>
> /etc/krb5.conf on server
> ======================================================================
> nfsserv# cat /etc/krb5.conf
> [libdefaults]
>        default_realm = NWBOOT
> [realms]
>        NWBOOT = {
>                kdc = nfsserv.localdomain
>                admin_server = nfsserv.localdomain
>                kpasswd_server = nfsserv.localdomain
>        }
> [domain_realm]
>        nfsserv.localdomain = NWBOOT
>        .nfsserv.localdomain = NWBOOT
>        localdomain = NWBOOT
>        .localdomain = NWBOOT
> [logging]
>        kdc = FILE:/var/log/krb5kdc.log
>        admin_server = FILE:/var/log/kadmin.log
>        default = FILE:/var/log/krb5lib.log
> ======================================================================
>
> /etc/krb5.conf on client
> ======================================================================
> [root@fedoravm ~]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  ccache_type = 4
>  allow_weak_crypto=true
>
> [libdefaults]
>  default_realm = NWBOOT
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
>  NWBOOT = {
>  kdc = nfsserv.localdomain
>  admin_server = nfsserv.localdomain
>  kpasswd_server = nfsserv.localdomain
>  default_domain = localdomain
>  }
>
> [domain_realm]
>  .localdomain = NWBOOT
>  localdomain = NWBOOT
>  .nfsserv.localdomain = NWBOOT
>  nfsserv.localdomain = NWBOOT
> ======================================================================
>
>
> Thanks.
>
> Jeff Layton さんは書きました:
>>
>> On Fri, 18 Jun 2010 07:27:18 +0900
>> yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>>
>>> Hello.
>>>
>>> I have been trying to set up kerberized nfsv3 server and clients over IPv6
>>> network, but run into a few problems.
>>>
>>> When I try to mount NFS share, an error "permission denied." occured and
>>> failed to mount.
>>>
>>> My server is FreeBSD8. My client is Fedora 13.
>>> Without Kerberos, I can mount NFS share.
>>>
>>> Output of mount command is follow
>>> =============================================================================================
>>> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
>>> sec=krb5,vers=3 -v
>>> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
>>> mount.nfs: trying text-based options
>>> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>>> mount.nfs: prog 100003, trying vers=3, prot=6
>>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
>>> port 2049
>>> mount.nfs: prog 100005, trying vers=3, prot=17
>>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
>>> port 818
>>> mount.nfs: mount(2): Permission denied
>>> mount.nfs: access denied by server while mounting
>>> nfsserv.localdomain:/export/work
>>> ==============================================================================================
>>>
>>> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
>>> its IPv6 address.
>>>
>>>
>>> I run rpc.gssd with -vvvvv options, and I got following warnings.
>>> ==============================================================================================
>>> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>>> WARNING: Failed to create krb5 context for user with uid 0 for server
>>> nfsserv.localdomain
>>> WARNING: Failed to create machine krb5 context with credentials cache
>>> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
>>> WARNING: Failed to create machine krb5 context with any credentials
>>> cache for server nfsserv.localdomain
>>> doing error downcall
>>> ==============================================================================================
>>>
>>> It seems that rpc.gssd could not create credentials for nfsserver.
>>> However, I run kinit correctly on client.
>>>
>>> My kinit and klist results are follow.
>>> ==============================================================================================
>>> [root@fedoravm]# kinit root
>>> Password for root@NWBOOT:
>>> [root@fedoravm]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: root@NWBOOT
>>>
>>> Valid starting     Expires            Service principal
>>> 06/15/10 16:53:22  06/16/10 16:53:15  krbtgt/NWBOOT@NWBOOT
>>>       renew until 06/22/10 16:53:15
>>> ==============================================================================================
>>>
>>> I read following page and added root keytab to client, but nothing changed.
>>>  http://www.mail-archive.com/linux-nfs@xxxxxxxxxxxxxxx/msg01360.html
>>>
>>> My Client Keytab:
>>> ==============================================================================================
>>> [root@fedoravm]# ktutil
>>> ktutil:  rkt /etc/krb5.keytab
>>> ktutil:  list -e
>>> slot KVNO Principal
>>> ---- ----
>>> ---------------------------------------------------------------------
>>>  1    1          nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> CRC-32)
>>>  2    1         root/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> CRC-32)
>>>  3    1         host/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> CRC-32)
>>> ==============================================================================================
>>>
>>> My Server Keytab:
>>> ==============================================================================================
>>> nfsserv# ktutil list
>>> FILE:/etc/krb5.keytab:
>>>
>>> Vno  Type         Principal
>>>  1  des-cbc-crc  nfs/nfsserv.localdomain@NWBOOT
>>>  1  des-cbc-crc  root/nfsserv.localdomain@NWBOOT
>>>  1  des-cbc-crc  host/nfsserv.localdomain@NWBOOT
>>> ==============================================================================================
>>>
>>>
>>> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
>>> I'm not sure it works or not.
>>> Does rpc.gssd works on IPv6 enviromnent?
>>>
>>> Can anybody give me any hints or suggestions?
>>>
>>
>> It should work. If you run something like:
>>
>> # kinit -k nfs/fedoravm.localdomain
>>
>> ...does that get you a TGT? What kind of KDC is this?
>>
>
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥