Hi,
this looks like an issue with kerberos, but not 100% sure:
##############
I have a working configuration for Kerberized NFSv4 using Active
Directory 2003 functional level using
?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
rpc.gssd -fvvvvv shows this error message (Failed to create machine
krb5 context) and gives me more errros like "gss_create_upcall for uid
0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
/proc/sys/sunrpc/rpc[nfs]_debug'
handling krb5 upcall
Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
Key table entry not found while getting keytab entry for
'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
Successfully obtained machine credentials for principal
'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]' stored in ccache
'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
good until 1271522236
using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
machine creds
using environment variable to select krb5 ccache
FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
creating context using fsuid 0 (save_uid 0)
creating tcp client for server COMPUTRON.MYDOMAIN.ORG
DEBUG: port already set to 2049
creating context with server [email protected]
WARNING: Failed to create krb5 context for user with uid 0 for server
COMPUTRON.MYDOMAIN.ORG
WARNING: Failed to create machine krb5 context with credentials cache
FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
COMPUTRON.MYDOMAIN.ORG
WARNING: Failed to create machine krb5 context with any credentials
cache for server COMPUTRON.MYDOMAIN.ORG
doing error downcall
now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
works again:
handling krb5 upcall
Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
Key table entry not found while getting keytab entry for
'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
Success getting keytab entry for 'nfs/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
good until 1271518766
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
good until 1271518766
using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
machine creds
using environment variable to select krb5 ccache
FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
creating context using fsuid 0 (save_uid 0)
creating tcp client for server computron.mydomain.org
creating context with server [email protected]
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
doing downcall
going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
not help either. executing
mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
gives me the very some error message
after that I tried to install the rpm package of krb5 1.8.1 and also
1.8.1 straight from source. I am always getting the same error message
"Failed to create krb5 context"
> cat /etc/krb5.conf
[libdefaults]
? ? ? ?default_realm = FHCRC.ORG
? ? ? ?clockskew = 300
? ? ? ?allow_weak_crypto = true
? ? ? ?default_tkt_enctypes = des-cbc-crc
? ? ? ?default_tgs_enctypes = des-cbc-crc
? ? ? ?#default_tkt_enctypes = des-cbc-md5
? ? ? ?#default_tgs_enctypes = des-cbc-md5
? ? ? ?#default_tkt_enctypes = rc4-hmac
? ? ? ?#default_tgs_enctypes = rc4-hmac
? ? ? ?#kdc_req_checksum_type = -138
? ? ? ?#ap_req_checksum_type = -138
? ? ? ?#safe_checksum_type = -138
? ? ? ?#ccache_type = 3
? ? ? ?#pkinit_eku_checking = kpServerAuth
>cat idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.org
Local-Realm = MYDOMAIN.ORG
> klist -k -e -t
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp ? ? ? ? Principal
---- ----------------- --------------------------------------------------------
? 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected] (DES
cbc mode with CRC-32)
Thanks for your help
Thanks Jeff,
that's an interesting issue: https://bugzilla.redhat.com/show_bug.cgi?id=562807
I think the default change to --enable-tirpc was made in gssd 1.2.x
but one of my configurations that is not working is running nfs-client
1.1.3 (the current openSUSE 11.2/ kernel 2.6.31.12, krb5 1.7).
Nonetheless I patched libtirpc and then also compiled nfs-client with
--disable-tirpc both on openSUSE 11.2 and openSUSE 11.3. None of these
4 independent tests worked.
After that I went back to the test that was originally successful: I
also installed krb5 1.6.3 on openSUS11.3 replacing krb5 1.8 and voila
it worked flawlessly. I think I need to go through the change logs
again. I would be glad if someone could give me some hints how I could
get additional levels of debugging?
On another Note: This PAC size issue is interesting. It seems to be an
ongoing problem over the last couple of years. I suspect most
krb5/gssd developers do not have an Active Directory infrastructure at
hand they can test against?
Going forward it may be make sense to "fix" this issue on the
Microsoft end of things : http://support.microsoft.com/kb/832572 ?
However, this would result in a pretty unique environment because many
AD Admins would not bother with this setting nor would they know how
to apply it.
thanks for your help so far.
I will test other distributions and see if that is any different.
On Sat, Apr 17, 2010 at 8:10 AM, Jeff Layton <[email protected]> wrote:
> On Sat, 17 Apr 2010 00:54:38 -0700
> Di Pe <[email protected]> wrote:
>
>> Hi,
>>
>> this looks like an issue with kerberos, but not 100% sure:
>>
>> ##############
>>
>>
>> I have a working configuration for Kerberized NFSv4 using Active
>> Directory 2003 functional level using
>> ?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
>> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
>> rpc.gssd -fvvvvv shows this error message (Failed to create machine
>> krb5 context) and gives me more errros like "gss_create_upcall for uid
>> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
>> /proc/sys/sunrpc/rpc[nfs]_debug'
>>
>> handling krb5 upcall
>> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
>> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
>> Key table entry not found while getting keytab entry for
>> 'root/[email protected]'
>> Success getting keytab entry for 'nfs/[email protected]'
>> Successfully obtained machine credentials for principal
>> 'nfs/[email protected]' stored in ccache
>> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271522236
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
>> DEBUG: port already set to 2049
>> creating context with server [email protected]
>> WARNING: Failed to create krb5 context for user with uid 0 for server
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with credentials cache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with any credentials
>> cache for server COMPUTRON.MYDOMAIN.ORG
>> doing error downcall
>>
>>
>> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
>> works again:
>>
>> handling krb5 upcall
>> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
>> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
>> Key table entry not found while getting keytab entry for
>> 'root/[email protected]'
>> Success getting keytab entry for 'nfs/[email protected]'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server computron.mydomain.org
>> creating context with server [email protected]
>> DEBUG: serialize_krb5_ctx: lucid version!
>> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
>> doing downcall
>>
>>
>> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
>> not help either. executing
>> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
>> gives me the very some error message
>>
>> after that I tried to install the rpm package of krb5 1.8.1 and also
>> 1.8.1 straight from source. I am always getting the same error message
>> "Failed to create krb5 context"
>>
>> > cat /etc/krb5.conf
>> [libdefaults]
>> ? ? ? ?default_realm = FHCRC.ORG
>> ? ? ? ?clockskew = 300
>> ? ? ? ?allow_weak_crypto = true
>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>> ? ? ? ?#default_tkt_enctypes = des-cbc-md5
>> ? ? ? ?#default_tgs_enctypes = des-cbc-md5
>> ? ? ? ?#default_tkt_enctypes = rc4-hmac
>> ? ? ? ?#default_tgs_enctypes = rc4-hmac
>> ? ? ? ?#kdc_req_checksum_type = -138
>> ? ? ? ?#ap_req_checksum_type = -138
>> ? ? ? ?#safe_checksum_type = -138
>> ? ? ? ?#ccache_type = 3
>> ? ? ? ?#pkinit_eku_checking = kpServerAuth
>>
>> >cat idmapd.conf
>> [General]
>> Verbosity = 0
>> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
>> Domain = mydomain.org
>> Local-Realm = MYDOMAIN.ORG
>>
>> > klist -k -e -t
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp ? ? ? ? Principal
>> ---- ----------------- --------------------------------------------------------
>> ? 3 12/31/69 16:00:00 nfs/[email protected] (DES
>> cbc mode with CRC-32)
>>
>>
>> Thanks for your help
>
> Is the new nfs-utils compiled against libtirpc and the old one not? If
> so the problem may be that libtirpc wasn't allowing large enough
> tickets (AD tickets can be pretty large due to the presence of the PAC).
>
> Recent libtirpc has a patch which seems to fix this problem:
>
> ? ?[PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS
>
> --
> Jeff Layton <[email protected]>
>
On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <[email protected]> wrote:
> Hi,
>
> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
> fixed the problem?
>
> As I noted in your original message, you had "allow_weak_crypto =
> true" in your krb5.conf. ?For NFS, this is required with krb5-1.8
> where DES is disabled by default. ?Are you certain you have this
> specified in your krb5-1.8.1 /etc/krb5.conf?
Yes, I'm positive. 1.8.1 does not work 1.6.3 does! This is my current setting
[libdefaults]
default_realm = FHCRC.ORG
clockskew = 300
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
allow_weak_crypto = true
forwardable = true
I should add one more thing: I was using 2 different NFS servers, a
NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly
Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out
today that the NetApp had a corrupted keytab and after repairing that
it works fine with 1.8.1. NFS Maestro still only works with 1.6.3.
Since I can use the 1.6.3 rpm package onto newer distros I can live
with it for the moment if i block the rpm from getting updated but
it's still kind of a hack.
>
> K.C.
>
> On Mon, Apr 19, 2010 at 8:37 PM, Di Pe <[email protected]> wrote:
>> Thanks Jeff,
>>
>> that's an interesting issue: ?https://bugzilla.redhat.com/show_bug.cgi?id=562807
>>
>> I think the default change to --enable-tirpc was made in gssd 1.2.x
>> but one of my configurations that is not working is running nfs-client
>> 1.1.3 ?(the current openSUSE 11.2/ kernel 2.6.31.12, krb5 1.7).
>>
>> Nonetheless I patched libtirpc and then also compiled nfs-client with
>> --disable-tirpc both on openSUSE 11.2 and openSUSE 11.3. None of these
>> 4 independent tests worked.
>>
>> After that I went back to the test that was originally successful: I
>> also installed krb5 1.6.3 on openSUS11.3 replacing krb5 1.8 and voila
>> it worked flawlessly. I think I need to go through the change logs
>> again. I would be glad if someone could give me some hints how I could
>> get additional levels of debugging?
>>
>> On another Note: This PAC size issue is interesting. It seems to be an
>> ongoing problem over the last couple of years. I suspect most
>> krb5/gssd developers do not have an Active Directory infrastructure at
>> hand they can test against?
>> Going forward it may be make sense to "fix" this issue on the
>> Microsoft end of things : http://support.microsoft.com/kb/832572 ?
>> However, this would result in a pretty unique environment because many
>> AD Admins would not bother with this setting nor would they know how
>> to apply it.
>>
>> thanks for your help so far.
>>
>> I will test other distributions and see if that is any different.
>>
>>
>> On Sat, Apr 17, 2010 at 8:10 AM, Jeff Layton <[email protected]> wrote:
>>> On Sat, 17 Apr 2010 00:54:38 -0700
>>> Di Pe <[email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> this looks like an issue with kerberos, but not 100% sure:
>>>>
>>>> ##############
>>>>
>>>>
>>>> I have a working configuration for Kerberized NFSv4 using Active
>>>> Directory 2003 functional level using
>>>> ?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
>>>> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
>>>> rpc.gssd -fvvvvv shows this error message (Failed to create machine
>>>> krb5 context) and gives me more errros like "gss_create_upcall for uid
>>>> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
>>>> /proc/sys/sunrpc/rpc[nfs]_debug'
>>>>
>>>> handling krb5 upcall
>>>> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
>>>> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
>>>> Key table entry not found while getting keytab entry for
>>>> 'root/[email protected]'
>>>> Success getting keytab entry for 'nfs/[email protected]'
>>>> Successfully obtained machine credentials for principal
>>>> 'nfs/[email protected]' stored in ccache
>>>> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
>>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>>> good until 1271522236
>>>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>>>> machine creds
>>>> using environment variable to select krb5 ccache
>>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>>>> creating context using fsuid 0 (save_uid 0)
>>>> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
>>>> DEBUG: port already set to 2049
>>>> creating context with server [email protected]
>>>> WARNING: Failed to create krb5 context for user with uid 0 for server
>>>> COMPUTRON.MYDOMAIN.ORG
>>>> WARNING: Failed to create machine krb5 context with credentials cache
>>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
>>>> COMPUTRON.MYDOMAIN.ORG
>>>> WARNING: Failed to create machine krb5 context with any credentials
>>>> cache for server COMPUTRON.MYDOMAIN.ORG
>>>> doing error downcall
>>>>
>>>>
>>>> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
>>>> works again:
>>>>
>>>> handling krb5 upcall
>>>> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
>>>> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
>>>> Key table entry not found while getting keytab entry for
>>>> 'root/[email protected]'
>>>> Success getting keytab entry for 'nfs/[email protected]'
>>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>>> good until 1271518766
>>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>>> good until 1271518766
>>>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>>>> machine creds
>>>> using environment variable to select krb5 ccache
>>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>>>> creating context using fsuid 0 (save_uid 0)
>>>> creating tcp client for server computron.mydomain.org
>>>> creating context with server [email protected]
>>>> DEBUG: serialize_krb5_ctx: lucid version!
>>>> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
>>>> doing downcall
>>>>
>>>>
>>>> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
>>>> not help either. executing
>>>> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
>>>> gives me the very some error message
>>>>
>>>> after that I tried to install the rpm package of krb5 1.8.1 and also
>>>> 1.8.1 straight from source. I am always getting the same error message
>>>> "Failed to create krb5 context"
>>>>
>>>> > cat /etc/krb5.conf
>>>> [libdefaults]
>>>> ? ? ? ?default_realm = FHCRC.ORG
>>>> ? ? ? ?clockskew = 300
>>>> ? ? ? ?allow_weak_crypto = true
>>>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>>>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>>>> ? ? ? ?#default_tkt_enctypes = des-cbc-md5
>>>> ? ? ? ?#default_tgs_enctypes = des-cbc-md5
>>>> ? ? ? ?#default_tkt_enctypes = rc4-hmac
>>>> ? ? ? ?#default_tgs_enctypes = rc4-hmac
>>>> ? ? ? ?#kdc_req_checksum_type = -138
>>>> ? ? ? ?#ap_req_checksum_type = -138
>>>> ? ? ? ?#safe_checksum_type = -138
>>>> ? ? ? ?#ccache_type = 3
>>>> ? ? ? ?#pkinit_eku_checking = kpServerAuth
>>>>
>>>> >cat idmapd.conf
>>>> [General]
>>>> Verbosity = 0
>>>> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
>>>> Domain = mydomain.org
>>>> Local-Realm = MYDOMAIN.ORG
>>>>
>>>> > klist -k -e -t
>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>> KVNO Timestamp ? ? ? ? Principal
>>>> ---- ----------------- --------------------------------------------------------
>>>> ? 3 12/31/69 16:00:00 nfs/[email protected] (DES
>>>> cbc mode with CRC-32)
>>>>
>>>>
>>>> Thanks for your help
>>>
>>> Is the new nfs-utils compiled against libtirpc and the old one not? If
>>> so the problem may be that libtirpc wasn't allowing large enough
>>> tickets (AD tickets can be pretty large due to the presence of the PAC).
>>>
>>> Recent libtirpc has a patch which seems to fix this problem:
>>>
>>> ? ?[PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS
>>>
>>> --
>>> Jeff Layton <[email protected]>
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to [email protected]
>> More majordomo info at ?http://vger.kernel.org/majordomo-info.html
>>
>>
>
correction: I did not have this in my earlier testing:
permitted_enctypes = des-cbc-crc
it worked without permitted_enctypes on suse with krb5 1.6.3 but it
needed that setting with krb 1.7, 1.8 and 1.8.1
I also tried ubuntu 10 with krb5 1.8.1 and the strange thing is that
is does not need any of the enctypes. It just works.
The opentext NFS server does not seem to offer any logging capability.
Thanks
On Tue, Apr 20, 2010 at 8:02 PM, Kevin Coffman <[email protected]> wrote:
> On Tue, Apr 20, 2010 at 8:19 PM, Di Pe <[email protected]> wrote:
>> On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <[email protected]> wrote:
>>> Hi,
>>>
>>> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
>>> fixed the problem?
>>>
>>> As I noted in your original message, you had "allow_weak_crypto =
>>> true" in your krb5.conf. ?For NFS, this is required with krb5-1.8
>>> where DES is disabled by default. ?Are you certain you have this
>>> specified in your krb5-1.8.1 /etc/krb5.conf?
>>
>>
>> Yes, I'm positive. 1.8.1 does not work 1.6.3 does! ?This is my current setting
>>
>> [libdefaults]
>> ? ? ? ?default_realm = FHCRC.ORG
>> ? ? ? ?clockskew = 300
>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>> ? ? ? ?permitted_enctypes = des-cbc-crc
>> ? ? ? ?allow_weak_crypto = true
>> ? ? ? ?forwardable = true
>>
>> I should add one more thing: I was using 2 different NFS servers, a
>> NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly
>> Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out
>> today that the NetApp had a corrupted keytab and after repairing that
>> it works fine with 1.8.1. NFS Maestro still only works with 1.6.3.
>> Since I can use the 1.6.3 rpm package onto newer distros I can live
>> with it for the moment if i block the rpm from getting updated but
>> it's still kind of a hack.
>
> Do you have access to logs on the server that still doesn't work with
> 1.8.1? ?It seems odd that only this combination would fail.
>
> K.C.
>
This just makes me more confused. None of those "*enctype" settings
should be required for any of these versions of Kerberos or gssd. And
they will limit you to DES when the stronger encryption types become
available.
K.C.
On Wed, Apr 21, 2010 at 9:32 AM, Di Pe <[email protected]> wrote:
> correction: I did not have this in my earlier testing:
> permitted_enctypes = des-cbc-crc
>
> it worked without permitted_enctypes on suse with krb5 1.6.3 but it
> needed that setting with krb 1.7, 1.8 and 1.8.1
>
> I also tried ubuntu 10 with krb5 1.8.1 and the strange thing is that
> is does not need any of the enctypes. It just works.
>
> The opentext NFS server does not seem to offer any logging capability.
>
> Thanks
>
>
> On Tue, Apr 20, 2010 at 8:02 PM, Kevin Coffman <[email protected]> wrote:
>> On Tue, Apr 20, 2010 at 8:19 PM, Di Pe <[email protected]> wrote:
>>> On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <[email protected]> wrote:
>>>> Hi,
>>>>
>>>> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
>>>> fixed the problem?
>>>>
>>>> As I noted in your original message, you had "allow_weak_crypto =
>>>> true" in your krb5.conf. ?For NFS, this is required with krb5-1.8
>>>> where DES is disabled by default. ?Are you certain you have this
>>>> specified in your krb5-1.8.1 /etc/krb5.conf?
>>>
>>>
>>> Yes, I'm positive. 1.8.1 does not work 1.6.3 does! ?This is my current setting
>>>
>>> [libdefaults]
>>> ? ? ? ?default_realm = FHCRC.ORG
>>> ? ? ? ?clockskew = 300
>>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>>> ? ? ? ?permitted_enctypes = des-cbc-crc
>>> ? ? ? ?allow_weak_crypto = true
>>> ? ? ? ?forwardable = true
>>>
>>> I should add one more thing: I was using 2 different NFS servers, a
>>> NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly
>>> Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out
>>> today that the NetApp had a corrupted keytab and after repairing that
>>> it works fine with 1.8.1. NFS Maestro still only works with 1.6.3.
>>> Since I can use the 1.6.3 rpm package onto newer distros I can live
>>> with it for the moment if i block the rpm from getting updated but
>>> it's still kind of a hack.
>>
>> Do you have access to logs on the server that still doesn't work with
>> 1.8.1? ?It seems odd that only this combination would fail.
>>
>> K.C.
>>
>
>
On Mon, 19 Apr 2010 17:37:45 -0700
Di Pe <[email protected]> wrote:
>
> On another Note: This PAC size issue is interesting. It seems to be an
> ongoing problem over the last couple of years. I suspect most
> krb5/gssd developers do not have an Active Directory infrastructure at
> hand they can test against?
> Going forward it may be make sense to "fix" this issue on the
> Microsoft end of things : http://support.microsoft.com/kb/832572 ?
> However, this would result in a pretty unique environment because many
> AD Admins would not bother with this setting nor would they know how
> to apply it.
>
In order to hit this problem you need a fairly large AD infrastructure.
You need to have the principal in a lot of groups so that the PAC is
big enough to cause the issue.
Also, it's only really a problem if you're using libraries that aren't
able to deal with large ticket sizes like this. Current libtirpc and
librpcsecgss should deal with this just fine.
Certainly if you have the freedom to have the server not store PAC info
for certain tickets, then that's one way to work around the problem.
Many people don't have that freedom, or it's just too much trouble to
do so.
--
Jeff Layton <[email protected]>
Hi,
If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
fixed the problem?
As I noted in your original message, you had "allow_weak_crypto =
true" in your krb5.conf. For NFS, this is required with krb5-1.8
where DES is disabled by default. Are you certain you have this
specified in your krb5-1.8.1 /etc/krb5.conf?
K.C.
On Mon, Apr 19, 2010 at 8:37 PM, Di Pe <[email protected]> wrote:
> Thanks Jeff,
>
> that's an interesting issue: ?https://bugzilla.redhat.com/show_bug.cgi?id=562807
>
> I think the default change to --enable-tirpc was made in gssd 1.2.x
> but one of my configurations that is not working is running nfs-client
> 1.1.3 ?(the current openSUSE 11.2/ kernel 2.6.31.12, krb5 1.7).
>
> Nonetheless I patched libtirpc and then also compiled nfs-client with
> --disable-tirpc both on openSUSE 11.2 and openSUSE 11.3. None of these
> 4 independent tests worked.
>
> After that I went back to the test that was originally successful: I
> also installed krb5 1.6.3 on openSUS11.3 replacing krb5 1.8 and voila
> it worked flawlessly. I think I need to go through the change logs
> again. I would be glad if someone could give me some hints how I could
> get additional levels of debugging?
>
> On another Note: This PAC size issue is interesting. It seems to be an
> ongoing problem over the last couple of years. I suspect most
> krb5/gssd developers do not have an Active Directory infrastructure at
> hand they can test against?
> Going forward it may be make sense to "fix" this issue on the
> Microsoft end of things : http://support.microsoft.com/kb/832572 ?
> However, this would result in a pretty unique environment because many
> AD Admins would not bother with this setting nor would they know how
> to apply it.
>
> thanks for your help so far.
>
> I will test other distributions and see if that is any different.
>
>
> On Sat, Apr 17, 2010 at 8:10 AM, Jeff Layton <[email protected]> wrote:
>> On Sat, 17 Apr 2010 00:54:38 -0700
>> Di Pe <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> this looks like an issue with kerberos, but not 100% sure:
>>>
>>> ##############
>>>
>>>
>>> I have a working configuration for Kerberized NFSv4 using Active
>>> Directory 2003 functional level using
>>> ?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
>>> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
>>> rpc.gssd -fvvvvv shows this error message (Failed to create machine
>>> krb5 context) and gives me more errros like "gss_create_upcall for uid
>>> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
>>> /proc/sys/sunrpc/rpc[nfs]_debug'
>>>
>>> handling krb5 upcall
>>> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
>>> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
>>> Key table entry not found while getting keytab entry for
>>> 'root/[email protected]'
>>> Success getting keytab entry for 'nfs/[email protected]'
>>> Successfully obtained machine credentials for principal
>>> 'nfs/[email protected]' stored in ccache
>>> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>> good until 1271522236
>>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>>> machine creds
>>> using environment variable to select krb5 ccache
>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>>> creating context using fsuid 0 (save_uid 0)
>>> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
>>> DEBUG: port already set to 2049
>>> creating context with server [email protected]
>>> WARNING: Failed to create krb5 context for user with uid 0 for server
>>> COMPUTRON.MYDOMAIN.ORG
>>> WARNING: Failed to create machine krb5 context with credentials cache
>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
>>> COMPUTRON.MYDOMAIN.ORG
>>> WARNING: Failed to create machine krb5 context with any credentials
>>> cache for server COMPUTRON.MYDOMAIN.ORG
>>> doing error downcall
>>>
>>>
>>> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
>>> works again:
>>>
>>> handling krb5 upcall
>>> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
>>> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
>>> Key table entry not found while getting keytab entry for
>>> 'root/[email protected]'
>>> Success getting keytab entry for 'nfs/[email protected]'
>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>> good until 1271518766
>>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>>> good until 1271518766
>>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>>> machine creds
>>> using environment variable to select krb5 ccache
>>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>>> creating context using fsuid 0 (save_uid 0)
>>> creating tcp client for server computron.mydomain.org
>>> creating context with server [email protected]
>>> DEBUG: serialize_krb5_ctx: lucid version!
>>> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
>>> doing downcall
>>>
>>>
>>> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
>>> not help either. executing
>>> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
>>> gives me the very some error message
>>>
>>> after that I tried to install the rpm package of krb5 1.8.1 and also
>>> 1.8.1 straight from source. I am always getting the same error message
>>> "Failed to create krb5 context"
>>>
>>> > cat /etc/krb5.conf
>>> [libdefaults]
>>> ? ? ? ?default_realm = FHCRC.ORG
>>> ? ? ? ?clockskew = 300
>>> ? ? ? ?allow_weak_crypto = true
>>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>>> ? ? ? ?#default_tkt_enctypes = des-cbc-md5
>>> ? ? ? ?#default_tgs_enctypes = des-cbc-md5
>>> ? ? ? ?#default_tkt_enctypes = rc4-hmac
>>> ? ? ? ?#default_tgs_enctypes = rc4-hmac
>>> ? ? ? ?#kdc_req_checksum_type = -138
>>> ? ? ? ?#ap_req_checksum_type = -138
>>> ? ? ? ?#safe_checksum_type = -138
>>> ? ? ? ?#ccache_type = 3
>>> ? ? ? ?#pkinit_eku_checking = kpServerAuth
>>>
>>> >cat idmapd.conf
>>> [General]
>>> Verbosity = 0
>>> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
>>> Domain = mydomain.org
>>> Local-Realm = MYDOMAIN.ORG
>>>
>>> > klist -k -e -t
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> KVNO Timestamp ? ? ? ? Principal
>>> ---- ----------------- --------------------------------------------------------
>>> ? 3 12/31/69 16:00:00 nfs/[email protected] (DES
>>> cbc mode with CRC-32)
>>>
>>>
>>> Thanks for your help
>>
>> Is the new nfs-utils compiled against libtirpc and the old one not? If
>> so the problem may be that libtirpc wasn't allowing large enough
>> tickets (AD tickets can be pretty large due to the presence of the PAC).
>>
>> Recent libtirpc has a patch which seems to fix this problem:
>>
>> ? ?[PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS
>>
>> --
>> Jeff Layton <[email protected]>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at ?http://vger.kernel.org/majordomo-info.html
>
>
I see that you already have "allow_weak_crypto =3D true".
If the NFS server is Linux, debug output from rpc.svcgssd there might
help. If you are only changing the client (and not the server) then a
packet trace would be helpful.
On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <[email protected]> wrote:
> Hi,
>
> this looks like an issue with kerberos, but not 100% sure:
>
> ##############
>
>
> I have a working configuration for Kerberized NFSv4 using Active
> Directory 2003 functional level using
> =A0Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 =A0Whe=
n I
> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
> rpc.gssd -fvvvvv shows this error message (Failed to create machine
> krb5 context) and gives me more errros like "gss_create_upcall for ui=
d
> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
> /proc/sys/sunrpc/rpc[nfs]_debug'
>
> handling krb5 upcall
> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org=
'
> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@MYDOMAI=
N.ORG'
> Successfully obtained machine credentials for principal
> 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]' stored in ccache
> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271522236
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
> DEBUG: port already set to 2049
> creating context with server [email protected]
> WARNING: Failed to create krb5 context for user with uid 0 for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server COMPUTRON.MYDOMAIN.ORG
> doing error downcall
>
>
> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
> works again:
>
> handling krb5 upcall
> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org=
'
> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
> Success getting keytab entry for 'nfs/panther5.mydomain.org@MYDOMAIN.=
ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server computron.mydomain.org
> creating context with server [email protected]
> DEBUG: serialize_krb5_ctx: lucid version!
> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and leng=
th 8
> doing downcall
>
>
> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
> not help either. executing
> mount -t nfs4 -o rsize=3D65536,wsize=3D65536,sec=3Dkrb5 computron:/tm=
p_iscsi tmp_iscsi
> gives me the very some error message
>
> after that I tried to install the rpm package of krb5 1.8.1 and also
> 1.8.1 straight from source. I am always getting the same error messag=
e
> "Failed to create krb5 context"
>
>> cat /etc/krb5.conf
> [libdefaults]
> =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG
> =A0 =A0 =A0 =A0clockskew =3D 300
> =A0 =A0 =A0 =A0allow_weak_crypto =3D true
> =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#kdc_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ap_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#safe_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ccache_type =3D 3
> =A0 =A0 =A0 =A0#pkinit_eku_checking =3D kpServerAuth
>
>>cat idmapd.conf
> [General]
> Verbosity =3D 0
> Pipefs-Directory =3D /var/lib/nfs/rpc_pipefs
> Domain =3D mydomain.org
> Local-Realm =3D MYDOMAIN.ORG
>
>> klist -k -e -t
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp =A0 =A0 =A0 =A0 Principal
> ---- ----------------- ----------------------------------------------=
----------
> =A0 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected] (DES
> cbc mode with CRC-32)
>
>
> Thanks for your help
>
Here you go
The server is a netapp
Thanks
On Sat, Apr 17, 2010 at 5:55 AM, Kevin Coffman <[email protected]> wro=
te:
> I see that you already have "allow_weak_crypto =3D true".
>
> If the NFS server is Linux, debug output from rpc.svcgssd there might
> help. =A0If you are only changing the client (and not the server) the=
n a
> packet trace would be helpful.
>
> On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <[email protected]> wrote:
>> Hi,
>>
>> this looks like an issue with kerberos, but not 100% sure:
>>
>> ##############
>>
>>
>> I have a working configuration for Kerberized NFSv4 using Active
>> Directory 2003 functional level using
>> =A0Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 =A0Wh=
en I
>> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
>> rpc.gssd -fvvvvv shows this error message (Failed to create machine
>> krb5 context) and gives me more errros like "gss_create_upcall for u=
id
>> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
>> /proc/sys/sunrpc/rpc[nfs]_debug'
>>
>> handling krb5 upcall
>> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.or=
g'
>> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org=
'
>> Key table entry not found while getting keytab entry for
>> 'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
>> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@MYDOMA=
IN.ORG'
>> Successfully obtained machine credentials for principal
>> 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]' stored in ccache
>> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271522236
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
>> DEBUG: port already set to 2049
>> creating context with server [email protected]
>> WARNING: Failed to create krb5 context for user with uid 0 for serve=
r
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with credentials cach=
e
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with any credentials
>> cache for server COMPUTRON.MYDOMAIN.ORG
>> doing error downcall
>>
>>
>> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everythin=
g
>> works again:
>>
>> handling krb5 upcall
>> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.or=
g'
>> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
>> Key table entry not found while getting keytab entry for
>> 'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
>> Success getting keytab entry for 'nfs/panther5.mydomain.org@MYDOMAIN=
=2EORG'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server computron.mydomain.org
>> creating context with server [email protected]
>> DEBUG: serialize_krb5_ctx: lucid version!
>> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and len=
gth 8
>> doing downcall
>>
>>
>> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
>> not help either. executing
>> mount -t nfs4 -o rsize=3D65536,wsize=3D65536,sec=3Dkrb5 computron:/t=
mp_iscsi tmp_iscsi
>> gives me the very some error message
>>
>> after that I tried to install the rpm package of krb5 1.8.1 and also
>> 1.8.1 straight from source. I am always getting the same error messa=
ge
>> "Failed to create krb5 context"
>>
>>> cat /etc/krb5.conf
>> [libdefaults]
>> =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG
>> =A0 =A0 =A0 =A0clockskew =3D 300
>> =A0 =A0 =A0 =A0allow_weak_crypto =3D true
>> =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc
>> =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc
>> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D des-cbc-md5
>> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D des-cbc-md5
>> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D rc4-hmac
>> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D rc4-hmac
>> =A0 =A0 =A0 =A0#kdc_req_checksum_type =3D -138
>> =A0 =A0 =A0 =A0#ap_req_checksum_type =3D -138
>> =A0 =A0 =A0 =A0#safe_checksum_type =3D -138
>> =A0 =A0 =A0 =A0#ccache_type =3D 3
>> =A0 =A0 =A0 =A0#pkinit_eku_checking =3D kpServerAuth
>>
>>>cat idmapd.conf
>> [General]
>> Verbosity =3D 0
>> Pipefs-Directory =3D /var/lib/nfs/rpc_pipefs
>> Domain =3D mydomain.org
>> Local-Realm =3D MYDOMAIN.ORG
>>
>>> klist -k -e -t
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp =A0 =A0 =A0 =A0 Principal
>> ---- ----------------- ---------------------------------------------=
-----------
>> =A0 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected] (DE=
S
>> cbc mode with CRC-32)
>>
>>
>> Thanks for your help
>>
>
On Sat, 17 Apr 2010 00:54:38 -0700
Di Pe <[email protected]> wrote:
> Hi,
>=20
> this looks like an issue with kerberos, but not 100% sure:
>=20
> ##############
>=20
>=20
> I have a working configuration for Kerberized NFSv4 using Active
> Directory 2003 functional level using
> =A0Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 =A0Whe=
n I
> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
> rpc.gssd -fvvvvv shows this error message (Failed to create machine
> krb5 context) and gives me more errros like "gss_create_upcall for ui=
d
> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
> /proc/sys/sunrpc/rpc[nfs]_debug'
>=20
> handling krb5 upcall
> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org=
'
> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
> Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@MYDOMAI=
N.ORG'
> Successfully obtained machine credentials for principal
> 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]' stored in ccache
> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271522236
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
> DEBUG: port already set to 2049
> creating context with server [email protected]
> WARNING: Failed to create krb5 context for user with uid 0 for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server COMPUTRON.MYDOMAIN.ORG
> doing error downcall
>=20
>=20
> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
> works again:
>=20
> handling krb5 upcall
> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org=
'
> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected]'
> Success getting keytab entry for 'nfs/panther5.mydomain.org@MYDOMAIN.=
ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server computron.mydomain.org
> creating context with server [email protected]
> DEBUG: serialize_krb5_ctx: lucid version!
> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and leng=
th 8
> doing downcall
>=20
>=20
> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
> not help either. executing
> mount -t nfs4 -o rsize=3D65536,wsize=3D65536,sec=3Dkrb5 computron:/tm=
p_iscsi tmp_iscsi
> gives me the very some error message
>=20
> after that I tried to install the rpm package of krb5 1.8.1 and also
> 1.8.1 straight from source. I am always getting the same error messag=
e
> "Failed to create krb5 context"
>=20
> > cat /etc/krb5.conf
> [libdefaults]
> =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG
> =A0 =A0 =A0 =A0clockskew =3D 300
> =A0 =A0 =A0 =A0allow_weak_crypto =3D true
> =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D des-cbc-md5
> =A0 =A0 =A0 =A0#default_tkt_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#default_tgs_enctypes =3D rc4-hmac
> =A0 =A0 =A0 =A0#kdc_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ap_req_checksum_type =3D -138
> =A0 =A0 =A0 =A0#safe_checksum_type =3D -138
> =A0 =A0 =A0 =A0#ccache_type =3D 3
> =A0 =A0 =A0 =A0#pkinit_eku_checking =3D kpServerAuth
>=20
> >cat idmapd.conf
> [General]
> Verbosity =3D 0
> Pipefs-Directory =3D /var/lib/nfs/rpc_pipefs
> Domain =3D mydomain.org
> Local-Realm =3D MYDOMAIN.ORG
>=20
> > klist -k -e -t
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp =A0 =A0 =A0 =A0 Principal
> ---- ----------------- ----------------------------------------------=
----------
> =A0 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/[email protected] (DES
> cbc mode with CRC-32)
>=20
>=20
> Thanks for your help
Is the new nfs-utils compiled against libtirpc and the old one not? If
so the problem may be that libtirpc wasn't allowing large enough
tickets (AD tickets can be pretty large due to the presence of the PAC)=
=2E
Recent libtirpc has a patch which seems to fix this problem:
[PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS
--=20
Jeff Layton <[email protected]>
On Tue, Apr 20, 2010 at 8:19 PM, Di Pe <[email protected]> wrote:
> On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <[email protected]> w=
rote:
>> Hi,
>>
>> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
>> fixed the problem?
>>
>> As I noted in your original message, you had "allow_weak_crypto =3D
>> true" in your krb5.conf. =A0For NFS, this is required with krb5-1.8
>> where DES is disabled by default. =A0Are you certain you have this
>> specified in your krb5-1.8.1 /etc/krb5.conf?
>
>
> Yes, I'm positive. 1.8.1 does not work 1.6.3 does! =A0This is my curr=
ent setting
>
> [libdefaults]
> =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG
> =A0 =A0 =A0 =A0clockskew =3D 300
> =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0permitted_enctypes =3D des-cbc-crc
> =A0 =A0 =A0 =A0allow_weak_crypto =3D true
> =A0 =A0 =A0 =A0forwardable =3D true
>
> I should add one more thing: I was using 2 different NFS servers, a
> NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly
> Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out
> today that the NetApp had a corrupted keytab and after repairing that
> it works fine with 1.8.1. NFS Maestro still only works with 1.6.3.
> Since I can use the 1.6.3 rpm package onto newer distros I can live
> with it for the moment if i block the rpm from getting updated but
> it's still kind of a hack.
Do you have access to logs on the server that still doesn't work with
1.8.1? It seems odd that only this combination would fail.
K.C.
I'd like to 2nd this issue.
the problem is in the kernel's derivation of the rc4 signature key.
this is the commit that broke it.
[aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe
commit 411b5e05617593efebc06241dbc56f42150f2abe
Author: Joe Perches <[email protected]>
Date: Mon Sep 13 12:48:01 2010 -0700
net/sunrpc: Use static const char arrays
Signed-off-by: Joe Perches <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_
index 0326446..8a4d083c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -422,7 +422,7 @@ static int
context_derive_keys_rc4(struct krb5_ctx *ctx)
{
struct crypto_hash *hmac;
- char sigkeyconstant[] = "signaturekey";
+ static const char sigkeyconstant[] = "signaturekey";
int slen = strlen(sigkeyconstant) + 1; /* include null terminator */
struct hash_desc desc;
struct scatterlist sg[1];
On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <[email protected]> wrote:
> Hi,
>
> this looks like an issue with kerberos, but not 100% sure:
>
> ##############
>
>
> I have a working configuration for Kerberized NFSv4 using Active
> Directory 2003 functional level using
> ?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
> rpc.gssd -fvvvvv shows this error message (Failed to create machine
> krb5 context) and gives me more errros like "gss_create_upcall for uid
> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
> /proc/sys/sunrpc/rpc[nfs]_debug'
>
> handling krb5 upcall
> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/[email protected]'
> Success getting keytab entry for 'nfs/[email protected]'
> Successfully obtained machine credentials for principal
> 'nfs/[email protected]' stored in ccache
> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271522236
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
> DEBUG: port already set to 2049
> creating context with server [email protected]
> WARNING: Failed to create krb5 context for user with uid 0 for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
> COMPUTRON.MYDOMAIN.ORG
> WARNING: Failed to create machine krb5 context with any credentials
> cache for server COMPUTRON.MYDOMAIN.ORG
> doing error downcall
>
>
> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
> works again:
>
> handling krb5 upcall
> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
> Key table entry not found while getting keytab entry for
> 'root/[email protected]'
> Success getting keytab entry for 'nfs/[email protected]'
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
> good until 1271518766
> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
> machine creds
> using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server computron.mydomain.org
> creating context with server [email protected]
> DEBUG: serialize_krb5_ctx: lucid version!
> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
> doing downcall
>
>
> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
> not help either. executing
> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
> gives me the very some error message
>
> after that I tried to install the rpm package of krb5 1.8.1 and also
> 1.8.1 straight from source. I am always getting the same error message
> "Failed to create krb5 context"
>
>> cat /etc/krb5.conf
> [libdefaults]
> ? ? ? ?default_realm = FHCRC.ORG
> ? ? ? ?clockskew = 300
> ? ? ? ?allow_weak_crypto = true
> ? ? ? ?default_tkt_enctypes = des-cbc-crc
> ? ? ? ?default_tgs_enctypes = des-cbc-crc
> ? ? ? ?#default_tkt_enctypes = des-cbc-md5
> ? ? ? ?#default_tgs_enctypes = des-cbc-md5
> ? ? ? ?#default_tkt_enctypes = rc4-hmac
> ? ? ? ?#default_tgs_enctypes = rc4-hmac
> ? ? ? ?#kdc_req_checksum_type = -138
> ? ? ? ?#ap_req_checksum_type = -138
> ? ? ? ?#safe_checksum_type = -138
> ? ? ? ?#ccache_type = 3
> ? ? ? ?#pkinit_eku_checking = kpServerAuth
>
>>cat idmapd.conf
> [General]
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = mydomain.org
> Local-Realm = MYDOMAIN.ORG
>
>> klist -k -e -t
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp ? ? ? ? Principal
> ---- ----------------- --------------------------------------------------------
> ? 3 12/31/69 16:00:00 nfs/[email protected] (DES
> cbc mode with CRC-32)
>
>
> Thanks for your help
>
Trond, is it possible to push this fix for the 2.6.39? Thank you.
On Mon, Mar 28, 2011 at 4:26 PM, Olga Kornievskaia <[email protected]> wrote:
> I'd like to 2nd this issue.
>
> the problem is in the kernel's derivation of the rc4 signature key.
> this is the commit that broke it.
>
> [aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe
> commit 411b5e05617593efebc06241dbc56f42150f2abe
> Author: Joe Perches <[email protected]>
> Date: ? Mon Sep 13 12:48:01 2010 -0700
>
> ? ?net/sunrpc: Use static const char arrays
>
> ? ?Signed-off-by: Joe Perches <[email protected]>
> ? ?Signed-off-by: Trond Myklebust <[email protected]>
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_
> index 0326446..8a4d083c 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -422,7 +422,7 @@ static int
> ?context_derive_keys_rc4(struct krb5_ctx *ctx)
> ?{
> ? ? ? ?struct crypto_hash *hmac;
> - ? ? ? char sigkeyconstant[] = "signaturekey";
> + ? ? ? static const char sigkeyconstant[] = "signaturekey";
> ? ? ? ?int slen = strlen(sigkeyconstant) + 1; ?/* include null terminator */
> ? ? ? ?struct hash_desc desc;
> ? ? ? ?struct scatterlist sg[1];
>
>
>
>
> On Sat, Apr 17, 2010 at 3:54 AM, Di Pe <[email protected]> wrote:
>> Hi,
>>
>> this looks like an issue with kerberos, but not 100% sure:
>>
>> ##############
>>
>>
>> I have a working configuration for Kerberized NFSv4 using Active
>> Directory 2003 functional level using
>> ?Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 ?When I
>> switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3)
>> rpc.gssd -fvvvvv shows this error message (Failed to create machine
>> krb5 context) and gives me more errros like "gss_create_upcall for uid
>> 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" >
>> /proc/sys/sunrpc/rpc[nfs]_debug'
>>
>> handling krb5 upcall
>> Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org'
>> Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org'
>> Key table entry not found while getting keytab entry for
>> 'root/[email protected]'
>> Success getting keytab entry for 'nfs/[email protected]'
>> Successfully obtained machine credentials for principal
>> 'nfs/[email protected]' stored in ccache
>> 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271522236
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server COMPUTRON.MYDOMAIN.ORG
>> DEBUG: port already set to 2049
>> creating context with server [email protected]
>> WARNING: Failed to create krb5 context for user with uid 0 for server
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with credentials cache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server
>> COMPUTRON.MYDOMAIN.ORG
>> WARNING: Failed to create machine krb5 context with any credentials
>> cache for server COMPUTRON.MYDOMAIN.ORG
>> doing error downcall
>>
>>
>> now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything
>> works again:
>>
>> handling krb5 upcall
>> Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org'
>> Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org'
>> Key table entry not found while getting keytab entry for
>> 'root/[email protected]'
>> Success getting keytab entry for 'nfs/[email protected]'
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are
>> good until 1271518766
>> using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for
>> machine creds
>> using environment variable to select krb5 ccache
>> FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG
>> creating context using fsuid 0 (save_uid 0)
>> creating tcp client for server computron.mydomain.org
>> creating context with server [email protected]
>> DEBUG: serialize_krb5_ctx: lucid version!
>> prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
>> doing downcall
>>
>>
>> going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does
>> not help either. executing
>> mount -t nfs4 -o rsize=65536,wsize=65536,sec=krb5 computron:/tmp_iscsi tmp_iscsi
>> gives me the very some error message
>>
>> after that I tried to install the rpm package of krb5 1.8.1 and also
>> 1.8.1 straight from source. I am always getting the same error message
>> "Failed to create krb5 context"
>>
>>> cat /etc/krb5.conf
>> [libdefaults]
>> ? ? ? ?default_realm = FHCRC.ORG
>> ? ? ? ?clockskew = 300
>> ? ? ? ?allow_weak_crypto = true
>> ? ? ? ?default_tkt_enctypes = des-cbc-crc
>> ? ? ? ?default_tgs_enctypes = des-cbc-crc
>> ? ? ? ?#default_tkt_enctypes = des-cbc-md5
>> ? ? ? ?#default_tgs_enctypes = des-cbc-md5
>> ? ? ? ?#default_tkt_enctypes = rc4-hmac
>> ? ? ? ?#default_tgs_enctypes = rc4-hmac
>> ? ? ? ?#kdc_req_checksum_type = -138
>> ? ? ? ?#ap_req_checksum_type = -138
>> ? ? ? ?#safe_checksum_type = -138
>> ? ? ? ?#ccache_type = 3
>> ? ? ? ?#pkinit_eku_checking = kpServerAuth
>>
>>>cat idmapd.conf
>> [General]
>> Verbosity = 0
>> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
>> Domain = mydomain.org
>> Local-Realm = MYDOMAIN.ORG
>>
>>> klist -k -e -t
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp ? ? ? ? Principal
>> ---- ----------------- --------------------------------------------------------
>> ? 3 12/31/69 16:00:00 nfs/[email protected] (DES
>> cbc mode with CRC-32)
>>
>>
>> Thanks for your help
>>
>