kerberos & cron - specifically nfsv4 w/sec=krb5p

Matt Garman matthew.garman at gmail.com
Tue Sep 18 17:00:11 EDT 2012 

On Tue, Sep 18, 2012 at 3:20 PM, Frank Cusack <frank at linetwo.net> wrote:
> Since you are initializing the ccache in the crontab itself, first of all
> make sure your kinit command is placing the ccache in the correct (for gssd)
> location.  If that's fine (log the output of klist somewhere to be sure)
> then you are going to have to debug gssd.  You can run it in the foreground
> in another window and see why it is failing.  Sounds like this happens
> quickly so you'll be able to iterate quickly.  You can set your ticket
> lifetime down to 1 minute to make it go faster.

OK, I'm trying exactly that, but not coming up with anything obviously
wrong (to me anyway).  Hoping some more some experienced eyes might
catch something that I'm not.  Below, I have the output from three
different terminals: (1) the root terminal of the client machine
w/rpc.gssd running, (2) the user ("matt") terminal of the client
machine running kinit and trying to view his share, and (3) the root
terminal of the server w/rpc.svcgssd running.

I inserted a few of my own comments, so you can follow what events
triggered what log messages.

=== CLIENT MACHINE, ROOT TERMINAL ===
[root at lnxsvr95 ~]# rpc.gssd -f -vvv -rrr
--- startup ---
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 'nfs/lnxsvr95.mydomain.com at MYDOMAIN.COM'
We will use this entry (nfs/lnxsvr95.mydomain.com at MYDOMAIN.COM)
Processing keytab entry for principal 'host/lnxsvr95.mydomain.com at MYDOMAIN.COM'
We will NOT use this entry (host/lnxsvr95.mydomain.com at MYDOMAIN.COM)
Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_MYDOMAIN.COM'

--- mounting the nfsv4 share ---
handling krb5 upcall
Using keytab file '/etc/krb5.keytab'
INFO: Credentials in CC 'MEMORY:/tmp/krb5cc_machine_MYDOMAIN.COM' are
good until 1348036914
using MEMORY:/tmp/krb5cc_machine_MYDOMAIN.COM as credentials cache for
machine creds
using environment variable to select krb5 ccache
MEMORY:/tmp/krb5cc_machine_MYDOMAIN.COM
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lnxutil6.mydomain.com
creating context with server nfs at lnxutil6.mydomain.com
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
doing downcall

--- trying to ls a mode 700 directory on the nfsv4 share ---
handling krb5 upcall
getting credentials for client with uid 502 for server lnxutil6.mydomain.com
CC file 'krb5cc_529_iJEIV30226' being considered
'/tmp/krb5cc_529_iJEIV30226' owned by 529, not 502
CC file 'krb5cc_507_zBnpJ16105' being considered
'/tmp/krb5cc_507_zBnpJ16105' owned by 507, not 502
[ ... snip, repeats for many various users ... ]
CC file 'krb5cc_502' being considered
CC file 'krb5cc_502' matches owner check and has mtime of 1348000957
CC file 'krb5cc_520_TpCqIK9958' being considered
using FILE:/tmp/krb5cc_502 as credentials cache for client with uid
502 for server lnxutil6.mydomain.com
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_502
creating context using fsuid 502 (save_uid 0)
creating tcp client for server lnxutil6.mydomain.com
creating context with server nfs at lnxutil6.mydomain.com
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
doing downcall


=== CLIENT MACHINE, USER TERMINAL ===
$ kinit -V -k -t matt.keytab -l 2m matt/cron
Authenticated to Kerberos v5

$ klist
Ticket cache: FILE:/tmp/krb5cc_502
Default principal: matt/cron at MYDOMAIN.COM

Valid starting     Expires            Service principal
09/18/12 15:42:29  09/18/12 15:44:37  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
        renew until 09/18/12 15:42:29
09/18/12 15:42:33  09/18/12 15:44:37  nfs/lnxutil6.mydomain.com at MYDOMAIN.COM
        renew until 09/18/12 15:42:29


Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached


=== SERVER MACHINE, ROOT TERMINAL ===
[root at lnxutil6 log]# rpc.svcgssd -f -vvv -rrr
Warning: rpcsec_gss library does not support setting debug level
entering poll

--- mounting the nfsv4 share ---
leaving poll
handling null request
sname = nfs/lnxsvr95.mydomain.com at MYDOMAIN.COM
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
doing downcall
mech: krb5, hndl len: 4, ctx len 85, timeout: 1348036914 (35983 from
now), clnt: nfs at lnxsvr95.mydomain.com, uid: -1, gid: -1, num aux grps:
0:
sending null reply
writing message: \x \x6082...[truncated]
finished handling null request
entering poll

--- trying to ls a mode 700 directory on the nfsv4 share ---
leaving poll
handling null request
sname = matt/cron at MYDOMAIN.COM
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
doing downcall
mech: krb5, hndl len: 4, ctx len 85, timeout: 1348001077 (116 from
now), clnt: matt at cron, uid: -1, gid: -1, num aux grps: 0:
sending null reply
writing message: \x \x6082...[truncated]
finished handling null request
entering poll

=== end of logs ===

If it's not obvious, the uid of user "matt" is 502.  lnxutil6 is the
nfs server, and lnxsvr95 is the client.

Thanks again!
Matt

More information about the Kerberos mailing list