(Resending in plain text so the mailing list will accept it!)
I think he is dealing with a Heimdal KDC; not Heimdal libraries on the
client machine.
It is true that gssd no longer works with Heimdal libraries, but it
should work against a Heimdal KDC.
I am not sure about working with IPv6, though.
On Wed, Jun 23, 2010 at 10:46 AM, William A. (Andy) Adamson
<androsadamson@xxxxxxxxx> wrote:
>
> I don't think that gssd works with Heimdal.
>
> -->Andy
>
> On Tue, Jun 22, 2010 at 10:36 AM, yagi shinnosuke <linus404@xxxxxxxxx> wrote:
> > Hello.
> >
> > Thank you Jeff.
> >
> > I could run kinit and got TGT of nfs/nfsserv.localdomain
> > However, mountig was failed again.
> >
> >
> > My KDC working on NFS server (FreeBSD 8.0).
> > Version is Heimdal 1.1.0.
> > ======================================================================
> > nfsserv# /usr/libexec/kdc --version
> > kdc (Heimdal 1.1.0)
> > Copyright 1995-2008 Kungliga Tekniska H▒gskolan
> > Send bug-reports to heimdal-bugs@xxxxxxx
> > ======================================================================
> >
> >
> > When I run rpc.gssd with -n flag, error output of rpc.gssd and
> > output of klist changed.
> > (but I cannot mount yet.)
> >
> > Output of klist on client.
> > ======================================================================
> > [root@fedoravm ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: nfs/fedoravm.localdomain@NWBOOT
> >
> > Valid starting Expires Service principal
> > 06/21/10 09:13:18 06/22/10 09:13:18 krbtgt/NWBOOT@NWBOOT
> > renew until 06/28/10 09:13:18
> > 06/21/10 09:14:41 06/22/10 09:13:18 nfs/nfsserv.localdomain@NWBOOT
> > renew until 06/28/10 09:13:18
> > ======================================================================
> >
> > Result of mount.
> > ======================================================================
> > [root@fedoravm ~]# mount -v -t nfs nfsserv.localdomain:/export/work
> > /mnt/nfs/ -o sec=krb5,vers=3
> > mount.nfs: timeout set for Mon Jun 21 10:21:56 2010
> > mount.nfs: trying text-based options
> > 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
> > mount.nfs: prog 100003, trying vers=3, prot=6
> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100003 vers 3
> > prot TCP port 2049
> > mount.nfs: prog 100005, trying vers=3, prot=17
> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100005 vers 3
> > prot UDP port 818
> > mount.nfs: mount(2): Permission denied
> > mount.nfs: access denied by server while mounting
> > nfsserv.localdomain:/export/work
> > ======================================================================
> >
> >
> > Error output of rpc.gssd
> > ======================================================================
> > creating context using fsuid 0 (save_uid 0)
> > creating tcp client for server nfsserv.localdomain
> > DEBUG: port already set to 2049
> > creating context with server nfs@xxxxxxxxxxxxxxxxxxx
> > WARNING: Failed to create krb5 context for user with uid 0 for server
> > nfsserv.localdomain
> > WARNING: Failed to create krb5 context for user with uid 0 for server
> > nfsserv.localdomain
> > doing error downcall
> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt58
> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt57
> > ======================================================================
> >
> > It seems that I cannot get permisson to accsess filesystems
> > by root (uid 0).
> > Do I miss some necessary settings?
> >
> > Settings for Kerberos is follow.
> >
> > /etc/krb5.conf on server
> > ======================================================================
> > nfsserv# cat /etc/krb5.conf
> > [libdefaults]
> > default_realm = NWBOOT
> > [realms]
> > NWBOOT = {
> > kdc = nfsserv.localdomain
> > admin_server = nfsserv.localdomain
> > kpasswd_server = nfsserv.localdomain
> > }
> > [domain_realm]
> > nfsserv.localdomain = NWBOOT
> > .nfsserv.localdomain = NWBOOT
> > localdomain = NWBOOT
> > .localdomain = NWBOOT
> > [logging]
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/krb5lib.log
> > ======================================================================
> >
> > /etc/krb5.conf on client
> > ======================================================================
> > [root@fedoravm ~]# cat /etc/krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > ccache_type = 4
> > allow_weak_crypto=true
> >
> > [libdefaults]
> > default_realm = NWBOOT
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> >
> > [realms]
> > NWBOOT = {
> > kdc = nfsserv.localdomain
> > admin_server = nfsserv.localdomain
> > kpasswd_server = nfsserv.localdomain
> > default_domain = localdomain
> > }
> >
> > [domain_realm]
> > .localdomain = NWBOOT
> > localdomain = NWBOOT
> > .nfsserv.localdomain = NWBOOT
> > nfsserv.localdomain = NWBOOT
> > ======================================================================
> >
> >
> > Thanks.
> >
> > Jeff Layton さんは書きました:
> >>
> >> On Fri, 18 Jun 2010 07:27:18 +0900
> >> yagi shinnosuke <linus404@xxxxxxxxx> wrote:
> >>
> >>> Hello.
> >>>
> >>> I have been trying to set up kerberized nfsv3 server and clients over IPv6
> >>> network, but run into a few problems.
> >>>
> >>> When I try to mount NFS share, an error "permission denied." occured and
> >>> failed to mount.
> >>>
> >>> My server is FreeBSD8. My client is Fedora 13.
> >>> Without Kerberos, I can mount NFS share.
> >>>
> >>> Output of mount command is follow
> >>> =============================================================================================
> >>> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
> >>> sec=krb5,vers=3 -v
> >>> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
> >>> mount.nfs: trying text-based options
> >>> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
> >>> mount.nfs: prog 100003, trying vers=3, prot=6
> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
> >>> port 2049
> >>> mount.nfs: prog 100005, trying vers=3, prot=17
> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
> >>> port 818
> >>> mount.nfs: mount(2): Permission denied
> >>> mount.nfs: access denied by server while mounting
> >>> nfsserv.localdomain:/export/work
> >>> ==============================================================================================
> >>>
> >>> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
> >>> its IPv6 address.
> >>>
> >>>
> >>> I run rpc.gssd with -vvvvv options, and I got following warnings.
> >>> ==============================================================================================
> >>> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
> >>> WARNING: Failed to create krb5 context for user with uid 0 for server
> >>> nfsserv.localdomain
> >>> WARNING: Failed to create machine krb5 context with credentials cache
> >>> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
> >>> WARNING: Failed to create machine krb5 context with any credentials
> >>> cache for server nfsserv.localdomain
> >>> doing error downcall
> >>> ==============================================================================================
> >>>
> >>> It seems that rpc.gssd could not create credentials for nfsserver.
> >>> However, I run kinit correctly on client.
> >>>
> >>> My kinit and klist results are follow.
> >>> ==============================================================================================
> >>> [root@fedoravm]# kinit root
> >>> Password for root@NWBOOT:
> >>> [root@fedoravm]# klist
> >>> Ticket cache: FILE:/tmp/krb5cc_0
> >>> Default principal: root@NWBOOT
> >>>
> >>> Valid starting Expires Service principal
> >>> 06/15/10 16:53:22 06/16/10 16:53:15 krbtgt/NWBOOT@NWBOOT
> >>> renew until 06/22/10 16:53:15
> >>> ==============================================================================================
> >>>
> >>> I read following page and added root keytab to client, but nothing changed.
> >>> http://www.mail-archive.com/linux-nfs@xxxxxxxxxxxxxxx/msg01360.html
> >>>
> >>> My Client Keytab:
> >>> ==============================================================================================
> >>> [root@fedoravm]# ktutil
> >>> ktutil: rkt /etc/krb5.keytab
> >>> ktutil: list -e
> >>> slot KVNO Principal
> >>> ---- ----
> >>> ---------------------------------------------------------------------
> >>> 1 1 nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
> >>> CRC-32)
> >>> 2 1 root/fedoravm.localdomain@NWBOOT (DES cbc mode with
> >>> CRC-32)
> >>> 3 1 host/fedoravm.localdomain@NWBOOT (DES cbc mode with
> >>> CRC-32)
> >>> ==============================================================================================
> >>>
> >>> My Server Keytab:
> >>> ==============================================================================================
> >>> nfsserv# ktutil list
> >>> FILE:/etc/krb5.keytab:
> >>>
> >>> Vno Type Principal
> >>> 1 des-cbc-crc nfs/nfsserv.localdomain@NWBOOT
> >>> 1 des-cbc-crc root/nfsserv.localdomain@NWBOOT
> >>> 1 des-cbc-crc host/nfsserv.localdomain@NWBOOT
> >>> ==============================================================================================
> >>>
> >>>
> >>> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
> >>> I'm not sure it works or not.
> >>> Does rpc.gssd works on IPv6 enviromnent?
> >>>
> >>> Can anybody give me any hints or suggestions?
> >>>
> >>
> >> It should work. If you run something like:
> >>
> >> # kinit -k nfs/fedoravm.localdomain
> >>
> >> ...does that get you a TGT? What kind of KDC is this?
> >>
> >
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
