Cannot mount nfsv4 krb5.

Wed Aug 4 11:41:44 EDT 2010

Hello everyone,

I'm not sure this is a bug or whats going on, however i can't get it to 
work.
I posted a bug at redhat's bugzilla buts since its not a blocker issue i 
dont know how much they are looking into my issues, figured i maybe get 
a quicker answer here.

I'm on RHEL 6 Beta 2, Refresh.

Here's what i wrote in my bugreport, maybe someone have had a similar 
issue ?

Description of problem:
Not really sure this is a bug of krb5, but i suspect so. I cant mount nfsv4
with krb5, without the sec=krb5 option it works like a charm.

Version-Release number of selected component (if applicable):

krb5-libs-1.8.2-2.el6.x86_64
krb5-workstation-1.8.2-2.el6.x86_64
gssdp-0.7.1-1.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:

# /etc/krb5.conf
[libdefaults]
   default_realm = XX.XXXX.XX
   clockskew = 300
   dns_lookup_realm = true
   dns_lookup_kdc = true
   default_tkt_enctypes =  des-cbc-md5
   default_tgs_enctypes =  des-cbc-md5
   forwardable = true
   allow_weak_crypto = true

[realms]
   XX.XXXX.XX = {
     default_domain = XX.XXXX.XX
   }

[logging]
   kdc = FILE:/var/log/krb5/krb5kdc.log
   admin_server = FILE:/var/log/krb5/kadmind.log
   default = SYSLOG:NOTICE:DAEMON

[domain_realm]
   .XX.XXXX.XX = XX.XXXX.XX
   .xxxx.xx = XX.XXXX.XX

  # /etc/idmapd.conf
  Domain = xxxx.xx

  # /etc/sysconfig/nfs
  RPCIDMAPDARGS="-vvvv"
  SECURE_NFS="yes"
  RPCGSSDARGS="-vvvv"
  RPCSVCGSSDARGS="-vvvv"

  # Stop all relevant services
  /etc/init.d/rpcbind stop; /etc/init.d/rpcgssd stop; /etc/init.d/rpcidmapd
stop; /etc/init.d/nfs stop

  # Make sure we are not in domain, leave and flush keytab.
  net ads leave -U xx%xx
  net ads keytab flush -U xx%xx

  # Make sure we have no tickets/keytabs or whatsoever.
  kdestroy
  rm -rf /etc/krb5.keytab
  rm -rf /tmp/kr*

  # Join machine to AD and create computer account with both service principle
and user principle.
  net ads join createupn="nfs/$HOSTNAME at XX.XXXX.XX" createcomputer="/FOO/BAR"
osName="Linux Red Hat Workstation" osVer="6" -U xx%xx

  # Add nfs principle to keytab, there is already one entry (with diff
encryptions) so i'm not totally sure if this is needed.
  net ads keytab add nfs -U xx%xx
  This is nfs section before i issue the following command,
  2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with CRC-32)
  2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with RSA-MD5)
  2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (ArcFour with HMAC/md5)
  -- After --
  2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with CRC-32)
  2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with RSA-MD5)
  2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (ArcFour with HMAC/md5)
  2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (DES cbc mode with CRC-32)
  2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (DES cbc mode with RSA-MD5)
  2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (ArcFour with HMAC/md5)

  # Now we have joined the machine (created a machineaccount), we got a keytab
that looks ok. Start the relevant services.
  /etc/init.d/rpcbind start; /etc/init.d/rpcgssd start; /etc/init.d/rpcidmapd
start; /etc/init.d/nfs start

  # Issue mount command,
  mount -t nfs4 -o sec=krb5 xx:/xx/xx/xx/ /nfstest/ -vvvvv

  # Output,
  -- mount --
  mount: fstab path: "/etc/fstab"
  mount: mtab path:  "/etc/mtab"
  mount: lock path:  "/etc/mtab~"
  mount: temp path:  "/etc/mtab.tmp"
  mount: spec:  "xx:/xx/xx/xx/"
  mount: node:  "/nfstest/"
  mount: types: "nfs4"
  mount: opts:  "sec=krb5"
  mount: external mount: argv[0] = "/sbin/mount.nfs4"
  mount: external mount: argv[1] = "xx:/xx/xx/xx/"
  mount: external mount: argv[2] = "/nfstest/"
  mount: external mount: argv[3] = "-v"
  mount: external mount: argv[4] = "-o"
  mount: external mount: argv[5] = "rw,sec=krb5"
  mount.nfs4: timeout set for Wed Aug  4 16:24:41 2010
  mount.nfs4: text-based options:
'sec=krb5,clientaddr=xx.xx.x.xx,addr=xxx.xx.xx.xx'
  mount.nfs4: mount(2): Permission denied
  mount.nfs4: access denied by server while mounting xx:/xx/xx/xx/

  -- /var/log/messages --
  Aug  4 14:45:09 client rpc.idmapd[4656]: New client: 13
  Aug  4 14:45:09 client rpc.idmapd[4656]: Opened
/var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
  Aug  4 14:45:09 client rpc.idmapd[4656]: New client: 14
  Aug  4 14:45:09 client rpc.gssd[4635]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt13)
  Aug  4 14:45:09 client rpc.gssd[4635]: handle_gssd_upcall: 'mech=krb5 uid=0
enctypes=18,17,16,23,3,1,2 '
  Aug  4 14:45:09 client rpc.gssd[4635]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt13)
  Aug  4 14:45:09 client rpc.gssd[4635]: process_krb5_upcall: service is
'<null>'
  Aug  4 14:45:09 client rpc.gssd[4635]: Full hostname for 'xx.xxxx.xx' is
'xx.xx.xx'
  Aug  4 14:45:09 client rpc.gssd[4635]: Full hostname for 'client.xxxx.xx' is
'client.xxxx.xx'
  Aug  4 14:45:09 client rpc.gssd[4635]: Key table entry not found while getting
keytab entry for ' root/client.xxxx.xx at XX.XXXX.XX'
  Aug  4 14:45:09 client rpc.gssd[4635]: Success getting keytab entry for
'nfs/client.xxxx.xx at XX.XXXX.XX'
  Aug  4 14:45:09 client rpc.gssd[4635]: Successfully obtained machine
credentials for principal ' nfs/client.xxxx.xx at XX.XXXX.XX' stored in ccache
'FILE:/tmp/krb5cc_machine_XX.XXXX.XX'
  Aug  4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
  Aug  4 14:45:09 client rpc.gssd[4635]: using
FILE:/tmp/krb5cc_machine_XX.XXXX.XX as credentials cache for machine creds
  Aug  4 14:45:09 client rpc.gssd[4635]: using environment variable to select
krb5 ccache FILE:/tmp/krb5cc_machine_XX.XXXX.XX
  Aug  4 14:45:09 client rpc.gssd[4635]: creating context using fsuid 0
(save_uid 0)
  Aug  4 14:45:09 client rpc.gssd[4635]: creating tcp client for server
xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: DEBUG: port already set to 2049
  Aug  4 14:45:09 client rpc.gssd[4635]: creating context with server
nfs at xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create krb5 context
for user with uid 0 for server xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
context with credentials cache FILE:/tmp/krb5cc_machine_XX.XXXX.XX for server
xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Machine cache is prematurely
expired or corrupted trying to recreate cache for server xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: Full hostname for 'xx.xxxx.xx' is
'xx.xxxx.xx'
  Aug  4 14:45:09 client rpc.gssd[4635]: Full hostname for 'client.xx.xxxx.xx'
is 'client.xx.xxxx.xx'
  Aug  4 14:45:09 client rpc.gssd[4635]: Key table entry not found while getting
keytab entry for 'root/client.xxxx.xx at XX.XXXX.XX'
  Aug  4 14:45:09 client rpc.gssd[4635]: Success getting keytab entry for
'nfs/client.xxxx.xx at XX.XXXX.XX'
  Aug  4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
  Aug  4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
  Aug  4 14:45:09 client rpc.gssd[4635]: using
FILE:/tmp/krb5cc_machine_XX.XXXX.XX as credentials cache for machine creds
  Aug  4 14:45:09 client rpc.gssd[4635]: using environment variable to select
krb5 ccache FILE:/tmp/krb5cc_machine_XX.XXXX.XX
  Aug  4 14:45:09 client rpc.gssd[4635]: creating context using fsuid 0
(save_uid 0)
  Aug  4 14:45:09 client rpc.gssd[4635]: creating tcp client for server
xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: DEBUG: port already set to 2049
  Aug  4 14:45:09 client rpc.gssd[4635]: creating context with server
nfs at xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create krb5 context
for user with uid 0 for server xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
context with credentials cache FILE:/tmp/krb5cc_machine_XX.XXXX.XX for server
xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
context with any credentials cache for server xx.xxxx.xx
  Aug  4 14:45:09 client rpc.gssd[4635]: doing error downcall
  Aug  4 14:45:09 client rpc.idmapd[4656]: Stale client: 13
  Aug  4 14:45:09 client rpc.idmapd[4656]: #011->  closed
/var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
  Aug  4 14:45:09 client rpc.idmapd[4656]: Stale client: 14
  Aug  4 14:45:09 client rpc.idmapd[4656]: #011->  closed
/var/lib/nfs/rpc_pipefs//nfs/clnt14/idmap
  Aug  4 14:45:09 client rpc.gssd[4635]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt14
  Aug  4 14:45:09 client rpc.gssd[4635]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt13

Actual results:
mount.nfs4: access denied by server while mounting xx:/xx/xx/xx/

Expected results:
A successful mount.

Additional info:
If i do the exact same steps on a Fedora 10 client this method works.
Is there something im missing ?

Btw.
This thread has kinda the same issue, it seems to work if he downgrades his krb.
I tried that though, but without luck.
I downgraded my krb-libs/krb5-workstation and gssdbp, but without success, but maybe there is some more packages involved..?

My bugreport is at, https://bugzilla.redhat.com/show_bug.cgi?id=621238

Best Regards,
Patrik Martinsson, Sweden.