[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-nfsv4
Subject:    Help needed on Kerberos and NFS 4 - for article in Linux Magazine
From:       Markus Feilner <lists () feilner-it ! net>
Date:       2008-09-12 9:59:57
Message-ID: 200809120959.57632.lists () feilner-it ! net
[Download RAW message or body]

Hello List,

I am an editor at the german Linux Magazine and I together with a colleague I 
am trying to get NFS4 running with Kerberos support. We have setup a KDC and 
the NFS server and client on Ubuntu, but we are constantly running into 
problems. 
The article will be on Performance tests of NFSv4, but at the moment we are 
stuck in the middle because the Kerberos setup fails.
We have successfully installed and configured Kerberos and NFS4, the kernel 
supports it, and Modules load fine.
A first principal has been generated, and a TGT for the user is created, 
machine credentials and keys have been created and placed on the servers.
The keytab files look fine, and the NFS config looks like this:
#######
Server:

/etc/default/nfs-common:
NEED_IDMAPD=yes

/etc/default/nfs-kernel-server:
NEED_SVCGSSD=yes
#######

Client:

/etc/default/nfs-common:

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Server:

/etc/exports:

/export       gss/krb5(rw,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)

#####

However, a mount command like this fails:

root@lab5:~# mount -t nfs4 -o sec=krb5,proto=tcp,port=2049 
lab8.linux-magazin.de:/ /mnt
mount.nfs4: access denied by server while mounting lab8.linux-magazin.de:/

and we still get the follwoing error messages:

Sep 10 11:21:16 lab5 rpc.gssd[4514]: handling krb5 upcall 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Full hostname for 'lab8.linux-magazin.de' 
is 'lab8.linux-magazin.de' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Full hostname for 'lab5.linux-magazin.de' 
is 'lab5.linux-magazin.de' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting 
keytab entry for 'root/lab5.linux-magazin.de@LINUX-MAGAZIN.DE' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting 
keytab entry for 'nfs/lab5.linux-magazin.de@LINUX-MAGAZIN.DE' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting 
keytab entry for 'host/lab5.linux-magazin.de@LINUX-MAGAZIN.DE' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Success getting keytab entry for 
nfs/*@LINUX-MAGAZIN.DE 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Successfully obtained machine credentials 
for principal 'nfs/lab8.linux-magazin.de@LINUX-MAGAZIN.DE' stored in 
ccache 'FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE' 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: INFO: Credentials in 
CC 'FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE' are good until 1221074476 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: using 
FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE as credentials cache for machine 
creds 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: using environment variable to select krb5 
ccache FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating context using fsuid 0 (save_uid 
0) 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating tcp client for server 
lab8.linux-magazin.de 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating context with server 
nfs@lab8.linux-magazin.de 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_create_default()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_create()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: authgss_create: name is 0x805a190
Sep 10 11:21:16 lab5 rpc.gssd[4514]: authgss_create: gd->name is 0x80590f0
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_refresh()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: struct rpc_gss_sec: 
Sep 10 11:21:16 lab5 rpc.gssd[4514]:      mechanism_OID: { 1 2 134 72 134 247 
18 1 2 2 } 
Sep 10 11:21:16 lab5 rpc.gssd[4514]:      qop: 0 
Sep 10 11:21:16 lab5 rpc.gssd[4514]:      service: 1 
Sep 10 11:21:16 lab5 rpc.gssd[4514]:      cred: 0x805b070 
Sep 10 11:21:16 lab5 rpc.gssd[4514]:      req_flags: 00000002 
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_marshal()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_buf: encode success ((nil):0)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_cred: encode success (v 1, 
proc 1, seq 0, svc 1, ctx (nil):0)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_wrap()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_buf: encode success 
(0x806c068:529)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_init_args: encode success 
(token 0x806c068:529)
Sep 10 11:21:41 lab5 rpc.gssd[4514]: authgss_create_default: freeing name 
0x805a190
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context 
for user with uid 0 for server lab8.linux-magazin.de 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context 
for user with uid 0 with credentials cache 
FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE for server lab8.linux-magazin.de 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context 
for user with uid 0 with any credentials cache for server 
lab8.linux-magazin.de 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: doing error downcall 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: Failed to write error downcall! 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: destroying client clnt1 
Sep 10 11:21:41 lab5 rpc.gssd[4514]: destroying client clnt0 

===============================================================================


What did we miss? Anything obvious?

Please help, and feel free to send me PM to mfeilner@linuxnewmedia.de
I can provide more information if you need them.

Thanks a lot in Advance!
-- 

Best Regards - Mit freundlichen Gruessen
Markus Feilner

-------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Koetztingerstr 6c                93057 Regensburg
Telefon:                        +49 941 8 10 79 89
Mobil:                           +49 170 3 02 70 92
WWW: www.feilner-it.net mail: mfeilner@feilner-it.net
--------------------------------------
OPENVPN : Building and Integrating Virtual Private Networks
http://www.packtpub.com/openvpn/book
SCALIX Linux Administrator's Guide
My new book - Out now: http://www.packtpub.com/scalix/book
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
[prev in list] [next in list] [prev in thread] [next in thread]