Cannot mount nfsv4 krb5.
Patrik Martinsson
Patrik.Martinsson at smhi.se
Wed Aug 4 11:56:36 EDT 2010
Im answering on my own email, the problem is solved, an update of to
libtirpc-0.2.1-1.bz613682.el6.x86_64.rpm
solves my issue, quick answer on the redhat bugzilla. Check
https://bugzilla.redhat.com/show_bug.cgi?id=621238 for
more details and https://bugzilla.redhat.com/show_bug.cgi?id=613682 .
Best regards,
Patrik Martinsson, Sweden.
On 08/04/2010 05:41 PM, Patrik Martinsson wrote:
> Hello everyone,
>
> I'm not sure this is a bug or whats going on, however i can't get it to
> work.
> I posted a bug at redhat's bugzilla buts since its not a blocker issue i
> dont know how much they are looking into my issues, figured i maybe get
> a quicker answer here.
>
> I'm on RHEL 6 Beta 2, Refresh.
>
> Here's what i wrote in my bugreport, maybe someone have had a similar
> issue ?
>
> Description of problem:
> Not really sure this is a bug of krb5, but i suspect so. I cant mount nfsv4
> with krb5, without the sec=krb5 option it works like a charm.
>
> Version-Release number of selected component (if applicable):
>
> krb5-libs-1.8.2-2.el6.x86_64
> krb5-workstation-1.8.2-2.el6.x86_64
> gssdp-0.7.1-1.el6.x86_64
>
> How reproducible:
> Always.
>
> Steps to Reproduce:
>
> # /etc/krb5.conf
> [libdefaults]
> default_realm = XX.XXXX.XX
> clockskew = 300
> dns_lookup_realm = true
> dns_lookup_kdc = true
> default_tkt_enctypes = des-cbc-md5
> default_tgs_enctypes = des-cbc-md5
> forwardable = true
> allow_weak_crypto = true
>
> [realms]
> XX.XXXX.XX = {
> default_domain = XX.XXXX.XX
> }
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
>
> [domain_realm]
> .XX.XXXX.XX = XX.XXXX.XX
> .xxxx.xx = XX.XXXX.XX
>
> # /etc/idmapd.conf
> Domain = xxxx.xx
>
> # /etc/sysconfig/nfs
> RPCIDMAPDARGS="-vvvv"
> SECURE_NFS="yes"
> RPCGSSDARGS="-vvvv"
> RPCSVCGSSDARGS="-vvvv"
>
> # Stop all relevant services
> /etc/init.d/rpcbind stop; /etc/init.d/rpcgssd stop; /etc/init.d/rpcidmapd
> stop; /etc/init.d/nfs stop
>
> # Make sure we are not in domain, leave and flush keytab.
> net ads leave -U xx%xx
> net ads keytab flush -U xx%xx
>
> # Make sure we have no tickets/keytabs or whatsoever.
> kdestroy
> rm -rf /etc/krb5.keytab
> rm -rf /tmp/kr*
>
> # Join machine to AD and create computer account with both service principle
> and user principle.
> net ads join createupn="nfs/$HOSTNAME at XX.XXXX.XX" createcomputer="/FOO/BAR"
> osName="Linux Red Hat Workstation" osVer="6" -U xx%xx
>
> # Add nfs principle to keytab, there is already one entry (with diff
> encryptions) so i'm not totally sure if this is needed.
> net ads keytab add nfs -U xx%xx
> This is nfs section before i issue the following command,
> 2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with CRC-32)
> 2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with RSA-MD5)
> 2 08/04/10 16:32:03 nfs/client.xxxx.xx at XX.XXXX.XX (ArcFour with HMAC/md5)
> -- After --
> 2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with CRC-32)
> 2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (DES cbc mode with RSA-MD5)
> 2 08/04/10 16:33:18 nfs/client.xxxx.xx at XX.XXXX.XX (ArcFour with HMAC/md5)
> 2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (DES cbc mode with CRC-32)
> 2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (DES cbc mode with RSA-MD5)
> 2 08/04/10 16:33:19 nfs/CLIENT at XX.XXXX.XX (ArcFour with HMAC/md5)
>
> # Now we have joined the machine (created a machineaccount), we got a keytab
> that looks ok. Start the relevant services.
> /etc/init.d/rpcbind start; /etc/init.d/rpcgssd start; /etc/init.d/rpcidmapd
> start; /etc/init.d/nfs start
>
> # Issue mount command,
> mount -t nfs4 -o sec=krb5 xx:/xx/xx/xx/ /nfstest/ -vvvvv
>
> # Output,
> -- mount --
> mount: fstab path: "/etc/fstab"
> mount: mtab path: "/etc/mtab"
> mount: lock path: "/etc/mtab~"
> mount: temp path: "/etc/mtab.tmp"
> mount: spec: "xx:/xx/xx/xx/"
> mount: node: "/nfstest/"
> mount: types: "nfs4"
> mount: opts: "sec=krb5"
> mount: external mount: argv[0] = "/sbin/mount.nfs4"
> mount: external mount: argv[1] = "xx:/xx/xx/xx/"
> mount: external mount: argv[2] = "/nfstest/"
> mount: external mount: argv[3] = "-v"
> mount: external mount: argv[4] = "-o"
> mount: external mount: argv[5] = "rw,sec=krb5"
> mount.nfs4: timeout set for Wed Aug 4 16:24:41 2010
> mount.nfs4: text-based options:
> 'sec=krb5,clientaddr=xx.xx.x.xx,addr=xxx.xx.xx.xx'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting xx:/xx/xx/xx/
>
> -- /var/log/messages --
> Aug 4 14:45:09 client rpc.idmapd[4656]: New client: 13
> Aug 4 14:45:09 client rpc.idmapd[4656]: Opened
> /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
> Aug 4 14:45:09 client rpc.idmapd[4656]: New client: 14
> Aug 4 14:45:09 client rpc.gssd[4635]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
> Aug 4 14:45:09 client rpc.gssd[4635]: handle_gssd_upcall: 'mech=krb5 uid=0
> enctypes=18,17,16,23,3,1,2 '
> Aug 4 14:45:09 client rpc.gssd[4635]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
> Aug 4 14:45:09 client rpc.gssd[4635]: process_krb5_upcall: service is
> '<null>'
> Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'xx.xxxx.xx' is
> 'xx.xx.xx'
> Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'client.xxxx.xx' is
> 'client.xxxx.xx'
> Aug 4 14:45:09 client rpc.gssd[4635]: Key table entry not found while getting
> keytab entry for ' root/client.xxxx.xx at XX.XXXX.XX'
> Aug 4 14:45:09 client rpc.gssd[4635]: Success getting keytab entry for
> 'nfs/client.xxxx.xx at XX.XXXX.XX'
> Aug 4 14:45:09 client rpc.gssd[4635]: Successfully obtained machine
> credentials for principal ' nfs/client.xxxx.xx at XX.XXXX.XX' stored in ccache
> 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX'
> Aug 4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
> Aug 4 14:45:09 client rpc.gssd[4635]: using
> FILE:/tmp/krb5cc_machine_XX.XXXX.XX as credentials cache for machine creds
> Aug 4 14:45:09 client rpc.gssd[4635]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_XX.XXXX.XX
> Aug 4 14:45:09 client rpc.gssd[4635]: creating context using fsuid 0
> (save_uid 0)
> Aug 4 14:45:09 client rpc.gssd[4635]: creating tcp client for server
> xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: DEBUG: port already set to 2049
> Aug 4 14:45:09 client rpc.gssd[4635]: creating context with server
> nfs at xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create krb5 context
> for user with uid 0 for server xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
> context with credentials cache FILE:/tmp/krb5cc_machine_XX.XXXX.XX for server
> xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Machine cache is prematurely
> expired or corrupted trying to recreate cache for server xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'xx.xxxx.xx' is
> 'xx.xxxx.xx'
> Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'client.xx.xxxx.xx'
> is 'client.xx.xxxx.xx'
> Aug 4 14:45:09 client rpc.gssd[4635]: Key table entry not found while getting
> keytab entry for 'root/client.xxxx.xx at XX.XXXX.XX'
> Aug 4 14:45:09 client rpc.gssd[4635]: Success getting keytab entry for
> 'nfs/client.xxxx.xx at XX.XXXX.XX'
> Aug 4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
> Aug 4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909
> Aug 4 14:45:09 client rpc.gssd[4635]: using
> FILE:/tmp/krb5cc_machine_XX.XXXX.XX as credentials cache for machine creds
> Aug 4 14:45:09 client rpc.gssd[4635]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_XX.XXXX.XX
> Aug 4 14:45:09 client rpc.gssd[4635]: creating context using fsuid 0
> (save_uid 0)
> Aug 4 14:45:09 client rpc.gssd[4635]: creating tcp client for server
> xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: DEBUG: port already set to 2049
> Aug 4 14:45:09 client rpc.gssd[4635]: creating context with server
> nfs at xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create krb5 context
> for user with uid 0 for server xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
> context with credentials cache FILE:/tmp/krb5cc_machine_XX.XXXX.XX for server
> xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create machine krb5
> context with any credentials cache for server xx.xxxx.xx
> Aug 4 14:45:09 client rpc.gssd[4635]: doing error downcall
> Aug 4 14:45:09 client rpc.idmapd[4656]: Stale client: 13
> Aug 4 14:45:09 client rpc.idmapd[4656]: #011-> closed
> /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
> Aug 4 14:45:09 client rpc.idmapd[4656]: Stale client: 14
> Aug 4 14:45:09 client rpc.idmapd[4656]: #011-> closed
> /var/lib/nfs/rpc_pipefs//nfs/clnt14/idmap
> Aug 4 14:45:09 client rpc.gssd[4635]: destroying client
> /var/lib/nfs/rpc_pipefs/nfs/clnt14
> Aug 4 14:45:09 client rpc.gssd[4635]: destroying client
> /var/lib/nfs/rpc_pipefs/nfs/clnt13
>
> Actual results:
> mount.nfs4: access denied by server while mounting xx:/xx/xx/xx/
>
> Expected results:
> A successful mount.
>
> Additional info:
> If i do the exact same steps on a Fedora 10 client this method works.
> Is there something im missing ?
>
> Btw.
> This thread has kinda the same issue, it seems to work if he downgrades his krb.
> I tried that though, but without luck.
> I downgraded my krb-libs/krb5-workstation and gssdbp, but without success, but maybe there is some more packages involved..?
>
>
> My bugreport is at, https://bugzilla.redhat.com/show_bug.cgi?id=621238
>
> Best Regards,
> Patrik Martinsson, Sweden.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list