Re: mount hangs in NFS4+Kerberos setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/10/2012 03:45 PM, whats_up@xxxxxxx wrote:
Hi,

I want to setup a file server with NFS4+Kerberos and Debian squeeze for
clients running Ubuntu 11.10.

What is already working:
1) Mount NFS4 on client without krb5 option works. Users are able to
access files and uids/gids are correct. 2) KDC works. Access from
client, get tickets, user authentication/change password through pam is
ok.

Now I want to mount with sec=krb5 but this time the command hangs and
does not return to shell. See also logs below.

Any hints to fix the issue or to get more helpful debug information are
welcome.

regards
   knut




=== server status ===

Debian Linux squeeze

# uname -a
Linux tm 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux
Ubuntu 11.10
uname -r
3.0.0-15-generic

Some older kernels do not support strong keys. Try adding:
allow_weak_crypto = true
to the
 [libdefaults]
in /etc/krb5.conf

Here it is using the machine principal with arcfour:

Kerberos: AS-REQ nfs/hh3.hh3.site@xxxxxxxx from ipv4:192.168.1.3:49650 for krbtgt/HH3.SITE@xxxxxxxx
Kerberos: UNKNOWN -- nfs/hh3.hh3.site@xxxxxxxx: no such entry found in hdb
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:43041 for krbtgt/HH3.SITE@xxxxxxxx
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:32850 for krbtgt/HH3.SITE@xxxxxxxx
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- HH3$@HH3.SITE using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-02-10T18:00:16 starttime: unset endtime: 2012-02-11T04:00:16 renew till: 2012-02-11T18:00:15 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:41288 for nfs/hh3.hh3.site@xxxxxxxx [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-02-10T18:00:16 starttime: 2012-02-10T18:00:16 endtime: 2012-02-11T04:00:16 renew till: 2012-02-11T18:00:15

Also it's not recommended to use the pseudo-root fsid=0 method for nfs exports under Linux:
 http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration

HTH,
Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux