Dear all,
I got NFS4 with GSS running on CentOS 5. Everything is okay, all TGTs are okay and is working fine for the user ROOT.
When I change to an other user, I got a permission denied, when I try to access the dierctory (e.g. ls -la)
Here is the /var/log/messages part for this access (with full debugging on ndf, ndfs and rcp):
Sep 29 10:11:59 sha9013 kernel: NFS: revalidating (0:1a/4030465)
Sep 29 10:11:59 sha9013 kernel: RPC: 0 new task procpid 15472
Sep 29 10:11:59 sha9013 kernel: RPC: 0 allocated task
Sep 29 10:11:59 sha9013 kernel: RPC: 0 looking up RPCSEC_GSS cred
Sep 29 10:11:59 sha9013 kernel: RPC: gc'ing RPC credentials for auth ffff810076dc22c0
Sep 29 10:11:59 sha9013 kernel: RPC: gss_destroy_cred
Sep 29 10:11:59 sha9013 kernel: RPC: gss_create_cred for uid 569926353, flavor 390003
Sep 29 10:11:59 sha9013 kernel: RPC: gss_upcall for uid 569926353
Sep 29 10:11:59 sha9013 kernel: RPC: gss_find_upcall found nothing
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: handling krb5 upcall
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: getting credentials for client with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' being considered
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' matches owner check and has mtime of 1285746876
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_osSsov' being considered
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_osSsov' owned by 0, not 569926353
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_mLx0Bh' being considered
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_mLx0Bh' owned by 0, not 569926353
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: using FILE:/tmp/krb5cc_569926353 as credentials cache for client with uid 569926353 for server sha9012.hamburg.rwede
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_569926353
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: creating context using fsuid 569926353 (save_uid 0)
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: creating tcp client for server sha9012.hamburg.rwedea.de
Sep 29 10:11:59 sha9013 rpc.gssd[1645]: creating context with server [email protected] <================================== system ist wating for 25 seconds
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: doing error downcall
Sep 29 10:12:23 sha9013 kernel: RPC: gss_fill_context returning 13
Sep 29 10:12:23 sha9013 kernel: RPC: gss_find_upcall found msg ffff81007e824ec0
Sep 29 10:12:23 sha9013 kernel: RPC: gss_destroy_ctx
Sep 29 10:12:23 sha9013 kernel: RPC: gss_pipe_downcall returning length 16
Sep 29 10:12:23 sha9013 kernel: RPC: gss_create_upcall for uid 569926353 result -13
Sep 29 10:12:23 sha9013 kernel: RPC: rpc_release_client(ffff810073dbc200, 1)
Sep 29 10:12:23 sha9013 kernel: nfs_revalidate_inode: (0:1a/4030465) getattr failed, error=-13
Sep 29 10:12:23 sha9013 kernel: RPC: looking up RPCSEC_GSS cred
Sep 29 10:12:23 sha9013 kernel: RPC: gss_upcall for uid 569926353
Sep 29 10:12:23 sha9013 kernel: RPC: gss_find_upcall found nothing
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: handling krb5 upcall
Sep 29 10:12:23 sha9013 kernel: RPC: 0 freeing task
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: getting credentials for client with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' being considered
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' matches owner check and has mtime of 1285746876
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_osSsov' being considered
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_osSsov' owned by 0, not 569926353
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_mLx0Bh' being considered
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_mLx0Bh' owned by 0, not 569926353
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: using FILE:/tmp/krb5cc_569926353 as credentials cache for client with uid 569926353 for server sha9012.hamburg.rwede
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_569926353
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: creating context using fsuid 569926353 (save_uid 0)
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: creating tcp client for server sha9012.hamburg.rwedea.de
Sep 29 10:12:23 sha9013 rpc.gssd[1645]: creating context with server [email protected]
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: doing error downcall
Sep 29 10:12:48 sha9013 kernel: RPC: gss_fill_context returning 13
Sep 29 10:12:48 sha9013 kernel: RPC: gss_find_upcall found msg ffff81007e824ec0
Sep 29 10:12:48 sha9013 kernel: RPC: gss_destroy_ctx
Sep 29 10:12:48 sha9013 kernel: RPC: gss_pipe_downcall returning length 16
Sep 29 10:12:48 sha9013 kernel: RPC: gss_create_upcall for uid 569926353 result -13
Sep 29 10:12:48 sha9013 kernel: NFS: permission(0:1a/4030465), mask=0x1, res=-13
Sep 29 10:12:48 sha9013 kernel: RPC: looking up RPCSEC_GSS cred
Sep 29 10:12:48 sha9013 kernel: RPC: gss_upcall for uid 569926353
Sep 29 10:12:48 sha9013 kernel: RPC: gss_find_upcall found nothing
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: handling krb5 upcall
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: getting credentials for client with uid 569926353 for server sha9012.hamburg.rwedea.de
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' being considered
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: CC file 'krb5cc_569926353' matches owner check and has mtime of 1285746876
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_osSsov' being considered
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_osSsov' owned by 0, not 569926353
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: CC file 'krb5cc_0_mLx0Bh' being considered
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: '/tmp/krb5cc_0_mLx0Bh' owned by 0, not 569926353
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: using FILE:/tmp/krb5cc_569926353 as credentials cache for client with uid 569926353 for server sha9012.hamburg.rwede
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_569926353
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: creating context using fsuid 569926353 (save_uid 0)
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: creating tcp client for server sha9012.hamburg.rwedea.de
Sep 29 10:12:48 sha9013 rpc.gssd[1645]: creating context with server [email protected]
A klist gives the following result:
========================
Ticket cache: FILE:/tmp/krb5cc_569926353
Default principal: [email protected]
Valid starting Expires Service principal
09/29/10 08:59:35 09/29/10 18:59:54 krbtgt/[email protected]
renew until 09/30/10 08:59:35
09/29/10 09:00:02 09/29/10 18:59:54 nfs/[email protected]
renew until 09/30/10 08:59:35
09/29/10 09:54:43 09/29/10 18:59:54 nfs/[email protected]
renew until 09/30/10 08:59:35
Kerberos 4 ticket cache: /tmp/tkt569926353
klist: You have no tickets cached
Here the result from ls -la:
===================
?--------- ? ? ? ? ? nfs4test
drwxr-xr-x 3 root root 4096 Sep 13 15:19 opt
dr-xr-xr-x 95 root root 0 Sep 27 14:28 proc
drwxr-x--- 3 root root 4096 Jan 26 2010 root
drwxr-xr-x 2 root root 12288 Sep 15 04:02 sbin
drwxr-xr-x 2 root root 4096 Jan 26 2010 selinux
drwxr-xr-x 2 root root 4096 Jan 26 2010 srv
drwxr-xr-x 30 root root 0 Sep 28 09:19 sw
drwxr-xr-x 11 root root 0 Sep 27 14:28 sys
-rw-r--r-- 1 root root 6932 Sep 28 10:35 tdump.dmp
drwxr-xr-x 2 root root 4096 Sep 13 17:04 test
drwxrwxrwt 4 root root 4096 Sep 29 08:59 tmp
drwxr-xr-x 14 root root 4096 Sep 13 15:01 usr
drwxr-xr-x 19 root root 4096 Sep 13 15:01 var
On the server, there is nothing inside the /var/log/messages
Could anybody help me?
Thanks a lot.
Mit freundlichen Gr??en / Best regards
Wolfgang Beyersdorf
RWE Dea AG
Abteilung IT-Infraktrukturen
?berseering 40, 22297 Hamburg, Germany
T +49 40 6375-3258
M +40 160 5497897
E [email protected]
I http://www.rwedea.com
RWE Dea AG
Vorsitzender des Aufsichtsrats: Dr. Ulrich Jobs
Vorstand: Thomas Rappuhn (Vorsitzender), Lutz-Michael Liebau, Ralf to Baben
Sitz der Gesellschaft: Hamburg
Eingetragen beim AG Hamburg, Handelsregister - Nr.: HRB 6882
On Wed, Sep 29, 2010 at 5:02 AM, Beyersdorf, Wolfgang
<[email protected]> wrote:
>
>
>
> Dear all,
>
> I got NFS4 with GSS running on CentOS 5. Everything is okay, all TGTs are okay and is working fine for the user ROOT.
>
> When I change to an other user, I got a permission denied, when I try to access the dierctory (e.g. ls -la)
>
> Here is the /var/log/messages part for this access (with full debugging on ndf, ndfs and rcp):
>
> Sep 29 10:11:59 sha9013 rpc.gssd[1645]: creating context with server [email protected] ? ? ? ? ? ? ? ? ? ? ?<================================== system ist wating for 25 seconds
> Sep 29 10:12:23 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
> Sep 29 10:12:23 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
> [ ... ]
> Sep 29 10:12:23 sha9013 rpc.gssd[1645]: creating context with server [email protected]
> Sep 29 10:12:48 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
> Sep 29 10:12:48 sha9013 rpc.gssd[1645]: WARNING: Failed to create krb5 context for user with uid 569926353 for server sha9012.hamburg.rwedea.de
>
> A ?klist gives the following result:
> ========================
What does "klist -e" show?
>
> On the server, there is nothing inside the /var/log/messages
>
I assume there is output from svcgssd on the server when root accesses it?
The 25-second pauses sound as if there is an error of some kind on the
server and it is dropping the request rather than replying. Perhaps a
network trace would reveal something.
K.C.