Newbie nfsv4 debian, netapp

Frédéric Goudal frederic.goudal at ipb.fr
Fri Oct 25 09:04:00 EDT 2013 

That's the trail I'm following but with no clear result :

After the mount I have the following 

25/10/2013 14:07:45  26/10/2013 14:07:44  krbtgt/DO.M at DO.M
	Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 
25/10/2013 14:07:45  26/10/2013 14:07:44  nfs/server at DO.M
	Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 

So it seems that the des-cbc-crc is on each.

I have activated a lot of log and what I see in the end : 

Success getting keytab entry for 'nfs/client at DO.M'
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DO.M' are good until 1382789264
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DO.M' are good until 1382789264
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: using FILE:/tmp/krb5cc_machine_DO.M as credentials cache for machine creds
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DO.M
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: creating context using fsuid 0 (save_uid 0)
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: creating tcp client for server serveur
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: DEBUG: port already set to 2049
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: creating context with server nfs at serveur
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: WARNING: Failed to create krb5 context for user with uid 0 for serveur
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_DO.M for server serveur
Oct 25 14:20:55 wheezy32 rpc.gssd[1862]: WARNING: Failed to create machine krb5 context with any credentials cache for server serveur

>From what I saw it could be a srvgssd problem, but on the netapp side...

Btw when you write KDB is it KDC or keytab of the netapp filer ?

Thanks 

f.g.



Le 25 oct. 2013 à 14:29, Thomas Krauss - ITServ GmbH <thomas.krauss at itserv.de> a écrit :

> Two possible solutions:
> a.) Delete all but DES keys from Netapps nfs principal in KDB.
> b.) configure default_tgs_enctypes to only use DES
> 
> In fact it works with arcfour as well but Netapp does not support it officially.
> 
> 
>  
>  
> -----Ursprüngliche Nachricht-----
> > Von:Frédéric Goudal <frederic.goudal at ipb.fr>
> > Gesendet: Fre 25 Oktober 2013 09:17
> > An: Thomas Krauss - ITServ GmbH <thomas.krauss at itserv.de>
> > CC: Frédéric Goudal <frederic.goudal at ipb.fr>; kerberos at mit.edu
> > Betreff: Re: Newbie nfsv4 debian, netapp
> > 
> > Ok, you are right.
> > 
> > What I did was mount.nfs4 -o sec=krb5 
> > But the correct command is 
> > mount -t nfs -o "vers=4,sec=krb5"
> > 
> > THe result is : 
> > 
> > Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: NEEDED_PREAUTH: nfs/client.fqdnr at IPB.FR for krbtgt/DO.M at DO.M, Additional pre-authentication required
> > Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for krbtgt/DO.M at DO.M
> > Oct 25 08:47:03 kerberos krb5kdc[2631](info): TGS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for nfs/serv.fqdn at DO.M
> > 
> > So as far as I understand it seemst that the service ticket to access the nfs server is delivered.
> > 
> > But on the netapp filer I have 
> > Kerberos: encryption type 18 not supported
> > 
> > From what I read in the netapp doc it seems that the netapp does only support des + crc encryption
> > 
> > I tried to remove all but (des-cbc-crc) encryption in the /etc/krb5.keytab on the client for the nfs/client principal
> > but the kerberos server does not go further thant needed_preauth...
> > 
> > I guess I have something to do in the configuration so that dec encryption can be used ?
> > 
> > f.g.
> > 
> > 
> > Le 25 oct. 2013 à 08:14, Tom_Krauss <thomas.krauss at itserv.de> a écrit :
> > 
> > > You probably do not mount kerberized at all.
> > > Use "mount -o sec=krb5 ..." or change the clients defaults.
> > > 
> > > Hth
> > > 
> > > 
> > > 
> > > --
> > > View this message in context: http://kerberos.996246.n3.nabble.com/Newbie-nfsv4-debian-netapp-tp38752p38761.html
> > > Sent from the Kerberos - General mailing list archive at Nabble.com.
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > 
> 
> 
> --
> Angaben gemäß �35a GmbH-Gesetz:
> ITServ GmbH
> Sitz der Gesellschaft: 55294 Bodenheim/Rhein
> Eingetragen unter Registernummer HRB 41668 beim Amtsgericht Mainz
> Vertretungsberechtiger Geschäftsführer: Peter Bauer, 55294 Bodenheim
> Umsatzsteuer-ID: DE182270475
> 
>

More information about the Kerberos mailing list