Re: Failed to create machine krb5 context with any credentials cache for server

Kevin Coffman <kwc@xxxxxxxxxxxxxx> · Tue, 6 Jul 2010 04:19:51 -0400

As far as I know, it should work with a Heimdal KDC.  Looking at the
documentation for Heimdal 1.1.0, I think it still supported DES
without requiring a configuration option.

On Mon, Jul 5, 2010 at 11:09 AM, yagi shinnosuke <linus404@xxxxxxxxx> wrote:
> Thank you Kevin and Willam.
>
> Yes, I am dealing with Heimdal KDC.
>
> Are there someone who is running NFS with Heimdal KDC?
>
>
>
> 2010/6/24 Kevin Coffman <kwc@xxxxxxxxxxxxxx>:
>> (Resending in plain text so the mailing list will accept it!)
>>
>> I think he is dealing with a Heimdal KDC; not Heimdal libraries on the
>
>> client machine.
>>
>> It is true that gssd no longer works with Heimdal libraries, but it
>> should work against a Heimdal KDC.
>>
>> I am not sure about working with IPv6, though.
>>
>> On Wed, Jun 23, 2010 at 10:46 AM, William A. (Andy) Adamson
>> <androsadamson@xxxxxxxxx> wrote:
>>>
>>> I don't think that gssd works with Heimdal.
>>>
>>> -->Andy
>>>
>>> On Tue, Jun 22, 2010 at 10:36 AM, yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>>> > Hello.
>>> >
>>> > Thank you Jeff.
>>> >
>>> > I could run kinit and got TGT of nfs/nfsserv.localdomain
>>> > However, mountig was failed again.
>>> >
>>> >
>>> > My KDC working on NFS server (FreeBSD 8.0).
>>> > Version is Heimdal 1.1.0.
>>> > ======================================================================
>>> > nfsserv# /usr/libexec/kdc --version
>>> > kdc (Heimdal 1.1.0)
>>> > Copyright 1995-2008 Kungliga Tekniska H▒gskolan
>>> > Send bug-reports to heimdal-bugs@xxxxxxx
>>> > ======================================================================
>>> >
>>> >
>>> > When I run rpc.gssd with -n flag, error output of rpc.gssd and
>>> > output of klist changed.
>>> > (but I cannot mount yet.)
>>> >
>>> > Output of klist on client.
>>> > ======================================================================
>>> > [root@fedoravm ~]# klist
>>> > Ticket cache: FILE:/tmp/krb5cc_0
>>> > Default principal: nfs/fedoravm.localdomain@NWBOOT
>>> >
>>> > Valid starting     Expires            Service principal
>>> > 06/21/10 09:13:18  06/22/10 09:13:18  krbtgt/NWBOOT@NWBOOT
>>> >        renew until 06/28/10 09:13:18
>>> > 06/21/10 09:14:41  06/22/10 09:13:18  nfs/nfsserv.localdomain@NWBOOT
>>> >        renew until 06/28/10 09:13:18
>>> > ======================================================================
>>> >
>>> > Result of mount.
>>> > ======================================================================
>>> > [root@fedoravm ~]# mount -v -t nfs nfsserv.localdomain:/export/work
>>> > /mnt/nfs/ -o sec=krb5,vers=3
>>> > mount.nfs: timeout set for Mon Jun 21 10:21:56 2010
>>> > mount.nfs: trying text-based options
>>> > 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>>> > mount.nfs: prog 100003, trying vers=3, prot=6
>>> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100003 vers 3
>>> > prot TCP port 2049
>>> > mount.nfs: prog 100005, trying vers=3, prot=17
>>> > mount.nfs: trying 2002:192:168:1:217:a4ff:fe20:e5f0 prog 100005 vers 3
>>> > prot UDP port 818
>>> > mount.nfs: mount(2): Permission denied
>>> > mount.nfs: access denied by server while mounting
>>> > nfsserv.localdomain:/export/work
>>> > ======================================================================
>>> >
>>> >
>>> > Error output of rpc.gssd
>>> > ======================================================================
>>> > creating context using fsuid 0 (save_uid 0)
>>> > creating tcp client for server nfsserv.localdomain
>>> > DEBUG: port already set to 2049
>>> > creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>>> > WARNING: Failed to create krb5 context for user with uid 0 for server
>>> > nfsserv.localdomain
>>> > WARNING: Failed to create krb5 context for user with uid 0 for server
>>> > nfsserv.localdomain
>>> > doing error downcall
>>> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt58
>>> > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt57
>>> > ======================================================================
>>> >
>>> > It seems that I cannot get permisson to accsess filesystems
>>> >  by root (uid 0).
>>> > Do I miss some necessary settings?
>>> >
>>> > Settings for Kerberos is follow.
>>> >
>>> > /etc/krb5.conf on server
>>> > ======================================================================
>>> > nfsserv# cat /etc/krb5.conf
>>> > [libdefaults]
>>> >        default_realm = NWBOOT
>>> > [realms]
>>> >        NWBOOT = {
>>> >                kdc = nfsserv.localdomain
>>> >                admin_server = nfsserv.localdomain
>>> >                kpasswd_server = nfsserv.localdomain
>>> >        }
>>> > [domain_realm]
>>> >        nfsserv.localdomain = NWBOOT
>>> >        .nfsserv.localdomain = NWBOOT
>>> >        localdomain = NWBOOT
>>> >        .localdomain = NWBOOT
>>> > [logging]
>>> >        kdc = FILE:/var/log/krb5kdc.log
>>> >        admin_server = FILE:/var/log/kadmin.log
>>> >        default = FILE:/var/log/krb5lib.log
>>> > ======================================================================
>>> >
>>> > /etc/krb5.conf on client
>>> > ======================================================================
>>> > [root@fedoravm ~]# cat /etc/krb5.conf
>>> > [logging]
>>> >  default = FILE:/var/log/krb5libs.log
>>> >  ccache_type = 4
>>> >  allow_weak_crypto=true
>>> >
>>> > [libdefaults]
>>> >  default_realm = NWBOOT
>>> >  dns_lookup_realm = false
>>> >  dns_lookup_kdc = false
>>> >  ticket_lifetime = 24h
>>> >  renew_lifetime = 7d
>>> >  forwardable = true
>>> >
>>> > [realms]
>>> >  NWBOOT = {
>>> >  kdc = nfsserv.localdomain
>>> >  admin_server = nfsserv.localdomain
>>> >  kpasswd_server = nfsserv.localdomain
>>> >  default_domain = localdomain
>>> >  }
>>> >
>>> > [domain_realm]
>>> >  .localdomain = NWBOOT
>>> >  localdomain = NWBOOT
>>> >  .nfsserv.localdomain = NWBOOT
>>> >  nfsserv.localdomain = NWBOOT
>>> > ======================================================================
>>> >
>>> >
>>> > Thanks.
>>> >
>>> > Jeff Layton さんは書きました:
>>> >>
>>> >> On Fri, 18 Jun 2010 07:27:18 +0900
>>> >> yagi shinnosuke <linus404@xxxxxxxxx> wrote:
>>> >>
>>> >>> Hello.
>>> >>>
>>> >>> I have been trying to set up kerberized nfsv3 server and clients over IPv6
>>> >>> network, but run into a few problems.
>>> >>>
>>> >>> When I try to mount NFS share, an error "permission denied." occured and
>>> >>> failed to mount.
>>> >>>
>>> >>> My server is FreeBSD8. My client is Fedora 13.
>>> >>> Without Kerberos, I can mount NFS share.
>>> >>>
>>> >>> Output of mount command is follow
>>> >>> =============================================================================================
>>> >>> # mount -t nfs nfsserv.localdomain:/export/work /mnt/nfs/ -o
>>> >>> sec=krb5,vers=3 -v
>>> >>> mount.nfs: timeout set for Tue Jun 15 10:54:11 2010
>>> >>> mount.nfs: trying text-based options
>>> >>> 'sec=krb5,vers=3,addr=2002:192:168:1:217:a4ff:fe20:e5f0'
>>> >>> mount.nfs: prog 100003, trying vers=3, prot=6
>>> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100003 vers 3 prot TCP
>>> >>> port 2049
>>> >>> mount.nfs: prog 100005, trying vers=3, prot=17
>>> >>> mount.nfs: trying 2001:XXXX::a4ff:fe20:e5f0 prog 100005 vers 3 prot UDP
>>> >>> port 818
>>> >>> mount.nfs: mount(2): Permission denied
>>> >>> mount.nfs: access denied by server while mounting
>>> >>> nfsserv.localdomain:/export/work
>>> >>> ==============================================================================================
>>> >>>
>>> >>> "nfsserv is hostname of NFS server and 2001:XXXX::a4ff:fe20:e5f0 is
>>> >>> its IPv6 address.
>>> >>>
>>> >>>
>>> >>> I run rpc.gssd with -vvvvv options, and I got following warnings.
>>> >>> ==============================================================================================
>>> >>> creating context with server nfs@xxxxxxxxxxxxxxxxxxx
>>> >>> WARNING: Failed to create krb5 context for user with uid 0 for server
>>> >>> nfsserv.localdomain
>>> >>> WARNING: Failed to create machine krb5 context with credentials cache
>>> >>> FILE:/tmp/krb5cc_machine_NWBOOT for server nfsserv.localdomain
>>> >>> WARNING: Failed to create machine krb5 context with any credentials
>>> >>> cache for server nfsserv.localdomain
>>> >>> doing error downcall
>>> >>> ==============================================================================================
>>> >>>
>>> >>> It seems that rpc.gssd could not create credentials for nfsserver.
>>> >>> However, I run kinit correctly on client.
>>> >>>
>>> >>> My kinit and klist results are follow.
>>> >>> ==============================================================================================
>>> >>> [root@fedoravm]# kinit root
>>> >>> Password for root@NWBOOT:
>>> >>> [root@fedoravm]# klist
>>> >>> Ticket cache: FILE:/tmp/krb5cc_0
>>> >>> Default principal: root@NWBOOT
>>> >>>
>>> >>> Valid starting     Expires            Service principal
>>> >>> 06/15/10 16:53:22  06/16/10 16:53:15  krbtgt/NWBOOT@NWBOOT
>>> >>>       renew until 06/22/10 16:53:15
>>> >>> ==============================================================================================
>>> >>>
>>> >>> I read following page and added root keytab to client, but nothing changed.
>>> >>>  http://www.mail-archive.com/linux-nfs@xxxxxxxxxxxxxxx/msg01360.html
>>> >>>
>>> >>> My Client Keytab:
>>> >>> ==============================================================================================
>>> >>> [root@fedoravm]# ktutil
>>> >>> ktutil:  rkt /etc/krb5.keytab
>>> >>> ktutil:  list -e
>>> >>> slot KVNO Principal
>>> >>> ---- ----
>>> >>> ---------------------------------------------------------------------
>>> >>>  1    1          nfs/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> >>> CRC-32)
>>> >>>  2    1         root/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> >>> CRC-32)
>>> >>>  3    1         host/fedoravm.localdomain@NWBOOT (DES cbc mode with
>>> >>> CRC-32)
>>> >>> ==============================================================================================
>>> >>>
>>> >>> My Server Keytab:
>>> >>> ==============================================================================================
>>> >>> nfsserv# ktutil list
>>> >>> FILE:/etc/krb5.keytab:
>>> >>>
>>> >>> Vno  Type         Principal
>>> >>>  1  des-cbc-crc  nfs/nfsserv.localdomain@NWBOOT
>>> >>>  1  des-cbc-crc  root/nfsserv.localdomain@NWBOOT
>>> >>>  1  des-cbc-crc  host/nfsserv.localdomain@NWBOOT
>>> >>> ==============================================================================================
>>> >>>
>>> >>>
>>> >>> I have surveyed web pages to find nothing about Kerberized NFS over IPv6.
>>> >>> I'm not sure it works or not.
>>> >>> Does rpc.gssd works on IPv6 enviromnent?
>>> >>>
>>> >>> Can anybody give me any hints or suggestions?
>>> >>>
>>> >>
>>> >> It should work. If you run something like:
>>> >>
>>> >> # kinit -k nfs/fedoravm.localdomain
>>> >>
>>> >> ...does that get you a TGT? What kind of KDC is this?
>>> >>
>>> >
>>
>
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥