Re: Failed to create machine krb5 context with any credentials cache for server

yagi shinnosuke <linus404@xxxxxxxxx> · Tue, 6 Jul 2010 00:09:12 +0900

Thank you Kevin and Willam.

Yes, I am dealing with Heimdal KDC.

Are there someone who is running NFS with Heimdal KDC?

2010/6/24 Kevin Coffman <kwc@xxxxxxxxxxxxxx>:
> (Resending in plain text so the mailing list will accept it!)
>
> I think he is dealing with a Heimdal KDC; not Heimdal libraries on the

> client machine.
>
> It is true that gssd no longer works with Heimdal libraries, but it
> should work against a Heimdal KDC.
>
> I am not sure about working with IPv6, though.
>
> On Wed, Jun 23, 2010 at 10:46 AM, William A. (Andy) Adamson
> <androsadamson@xxxxxxxxx> wrote:
>>
>> I don't think that gssd works with Heimdal.
>>
>> -->Andy
>>
>> On Tue, Jun 22, 2010 at 10:36 AM, yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>> > Hello.
>> >
>> > Thank you Jeff.
>> >
>> > I could run kinit and got TGT of nfs/nfsserv.localdomain
>> > However, mountig was failed again.
>> >
>> >
>> > My KDC working on NFS server (FreeBSD 8.0).
>> > Version is Heimdal 1.1.0.
>> > ======================================================================
>> > nfsserv# /usr/libexec/kdc --version
>> > kdc (Heimdal 1.1.0)
>> > Copyright 1995-2008 Kungliga Tekniska H▒gskolan
>> > Send bug-reports to heimdal-bugs@xxxxxxx
>> > ======================================================================
>> >
>> >
>> > When I run rpc.gssd with -n flag, error output of rpc.gssd and
>> > output of klist changed.
>> > (but I cannot mount yet.)
>> >
>> > Output of klist on client.
>> > ======================================================================
>> > [root@fedoravm ~]# klist
>> > Ticket cache: FILE:/tmp/krb5cc_0
>> > Default principal: nfs/fedoravm.localdomain@NWBOOT
>> >
>> > Valid starting     Expires            Service principal
>> > 06/21/10 09:13:18  06/22/10 09:13:18  krbtgt/NWBOOT@NWBOOT
>> >        renew until 06/28/10 09:13:18
>> > 06/21/10 09:14:41  06/22/10 09:13:18  nfs/nfsserv.localdomain@NWBOOT
>> >        renew until 06/28/10 09:13:18
>> > ======================================================================
>> >
>> > Result of mount.
>> > ======================================================================
>> > [root@fedoravm ~]# mount -v -t nfs nfsserv.localdomain:/export/work
>> > /mnt/nfs/ -o sec=krb5,vers=3
>> > mount.nfs: timeout set for Mon Jun 21 10:21:56 2010
>> > mount.nfs: trying text-based options
>> > 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>> > mount.nfs: prog 100003, trying vers=3, prot=6
>> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100003 vers 3
>> > prot TCP port 2049
>> > mount.nfs: prog 100005, trying vers=3, prot=17
>> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100005 vers 3
>> > prot UDP port 818
>> > mount.nfs: mount(2): Permission denied
>> > mount.nfs: access denied by server while mounting
>> > nfsserv.localdomain:/export/work
>> > ======================================================================
>> >
>> >
>> > Error output of rpc.gssd
>> > ======================================================================
>> > creating context using fsuid 0 (save_uid 0)
>> > creating tcp client for server nfsserv.localdomain
>> > DEBUG: port already set to 2049
>> > creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>> > WARNING: Failed to create krb5 context for user with uid 0 for server
>> > nfsserv.localdomain
>> > WARNING: Failed to create krb5 context for user with uid 0 for server
>> > nfsserv.localdomain
>> > doing error downcall
>> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt58
>> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt57
>> > ======================================================================
>> >
>> > It seems that I cannot get permisson to accsess filesystems
>> >  by root (uid 0).
>> > Do I miss some necessary settings?
>> >
>> > Settings for Kerberos is follow.
>> >
>> > /etc/krb5.conf on server
>> > ======================================================================
>> > nfsserv# cat /etc/krb5.conf
>> > [libdefaults]
>> >        default_realm = NWBOOT
>> > [realms]
>> >        NWBOOT = {
>> >                kdc = nfsserv.localdomain
>> >                admin_server = nfsserv.localdomain
>> >                kpasswd_server = nfsserv.localdomain
>> >        }
>> > [domain_realm]
>> >        nfsserv.localdomain = NWBOOT
>> >        .nfsserv.localdomain = NWBOOT
>> >        localdomain = NWBOOT
>> >        .localdomain = NWBOOT
>> > [logging]
>> >        kdc = FILE:/var/log/krb5kdc.log
>> >        admin_server = FILE:/var/log/kadmin.log
>> >        default = FILE:/var/log/krb5lib.log
>> > ======================================================================
>> >
>> > /etc/krb5.conf on client
>> > ======================================================================
>> > [root@fedoravm ~]# cat /etc/krb5.conf
>> > [logging]
>> >  default = FILE:/var/log/krb5libs.log
>> >  ccache_type = 4
>> >  allow_weak_crypto=true
>> >
>> > [libdefaults]
>> >  default_realm = NWBOOT
>> >  dns_lookup_realm = false
>> >  dns_lookup_kdc = false
>> >  ticket_lifetime = 24h
>> >  renew_lifetime = 7d
>> >  forwardable = true
>> >
>> > [realms]
>> >  NWBOOT = {
>> >  kdc = nfsserv.localdomain
>> >  admin_server = nfsserv.localdomain
>> >  kpasswd_server = nfsserv.localdomain
>> >  default_domain = localdomain
>> >  }
>> >
>> > [domain_realm]
>> >  .localdomain = NWBOOT
>> >  localdomain = NWBOOT
>> >  .nfsserv.localdomain = NWBOOT
>> >  nfsserv.localdomain = NWBOOT
>> > ======================================================================
>> >
>> >
>> > Thanks.
>> >
>> > Jeff Layton さんは書きました:
>> >>
>> >> On Fri, 18 Jun 2010 07:27:18 +0900
>> >> yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>> >>
>> >>> Hello.
>> >>>
>> >>> I have been trying to set up kerberized nfsv3 server and clients over IPv6
>> >>> network, but run into a few problems.
>> >>>
>> >>> When I try to mount NFS share, an error "permission denied." occured and
>> >>> failed to mount.
>> >>>
>> >>> My server is FreeBSD8. My client is Fedora 13.
>> >>> Without Kerberos, I can mount NFS share.
>> >>>
>> >>> Output of mount command is follow
>> >>> =============================================================================================
>> >>> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
>> >>> sec=krb5,vers=3 -v
>> >>> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
>> >>> mount.nfs: trying text-based options
>> >>> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>> >>> mount.nfs: prog 100003, trying vers=3, prot=6
>> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
>> >>> port 2049
>> >>> mount.nfs: prog 100005, trying vers=3, prot=17
>> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
>> >>> port 818
>> >>> mount.nfs: mount(2): Permission denied
>> >>> mount.nfs: access denied by server while mounting
>> >>> nfsserv.localdomain:/export/work
>> >>> ==============================================================================================
>> >>>
>> >>> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
>> >>> its IPv6 address.
>> >>>
>> >>>
>> >>> I run rpc.gssd with -vvvvv options, and I got following warnings.
>> >>> ==============================================================================================
>> >>> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>> >>> WARNING: Failed to create krb5 context for user with uid 0 for server
>> >>> nfsserv.localdomain
>> >>> WARNING: Failed to create machine krb5 context with credentials cache
>> >>> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
>> >>> WARNING: Failed to create machine krb5 context with any credentials
>> >>> cache for server nfsserv.localdomain
>> >>> doing error downcall
>> >>> ==============================================================================================
>> >>>
>> >>> It seems that rpc.gssd could not create credentials for nfsserver.
>> >>> However, I run kinit correctly on client.
>> >>>
>> >>> My kinit and klist results are follow.
>> >>> ==============================================================================================
>> >>> [root@fedoravm]# kinit root
>> >>> Password for root@NWBOOT:
>> >>> [root@fedoravm]# klist
>> >>> Ticket cache: FILE:/tmp/krb5cc_0
>> >>> Default principal: root@NWBOOT
>> >>>
>> >>> Valid starting     Expires            Service principal
>> >>> 06/15/10 16:53:22  06/16/10 16:53:15  krbtgt/NWBOOT@NWBOOT
>> >>>       renew until 06/22/10 16:53:15
>> >>> ==============================================================================================
>> >>>
>> >>> I read following page and added root keytab to client, but nothing changed.
>> >>>  http://www.mail-archive.com/linux-nfs@xxxxxxxxxxxxxxx/msg01360.html
>> >>>
>> >>> My Client Keytab:
>> >>> ==============================================================================================
>> >>> [root@fedoravm]# ktutil
>> >>> ktutil:  rkt /etc/krb5.keytab
>> >>> ktutil:  list -e
>> >>> slot KVNO Principal
>> >>> ---- ----
>> >>> ---------------------------------------------------------------------
>> >>>  1    1          nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> >>> CRC-32)
>> >>>  2    1         root/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> >>> CRC-32)
>> >>>  3    1         host/fedoravm.localdomain@NWBOOT (DES cbc mode with
>> >>> CRC-32)
>> >>> ==============================================================================================
>> >>>
>> >>> My Server Keytab:
>> >>> ==============================================================================================
>> >>> nfsserv# ktutil list
>> >>> FILE:/etc/krb5.keytab:
>> >>>
>> >>> Vno  Type         Principal
>> >>>  1  des-cbc-crc  nfs/nfsserv.localdomain@NWBOOT
>> >>>  1  des-cbc-crc  root/nfsserv.localdomain@NWBOOT
>> >>>  1  des-cbc-crc  host/nfsserv.localdomain@NWBOOT
>> >>> ==============================================================================================
>> >>>
>> >>>
>> >>> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
>> >>> I'm not sure it works or not.
>> >>> Does rpc.gssd works on IPv6 enviromnent?
>> >>>
>> >>> Can anybody give me any hints or suggestions?
>> >>>
>> >>
>> >> It should work. If you run something like:
>> >>
>> >> # kinit -k nfs/fedoravm.localdomain
>> >>
>> >> ...does that get you a TGT? What kind of KDC is this?
>> >>
>> >
>
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥