From: Jeff Layton Subject: Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 Date: Sat, 17 Apr 2010 11:10:01 -0400 Message-ID: <20100417111001.255ad1f4@tlielax.poochiereds.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: linux-nfs@vger.kernel.org To: Di Pe Return-path: Received: from mx1.redhat.com ([209.132.183.28]:40559 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752297Ab0DQPKF convert rfc822-to-8bit (ORCPT ); Sat, 17 Apr 2010 11:10:05 -0400 In-Reply-To: Sender: linux-nfs-owner@vger.kernel.org List-ID: On Sat, 17 Apr 2010 00:54:38 -0700 Di Pe wrote: > Hi, >=20 > this looks like an issue with kerberos, but not 100% sure: >=20 > ############## >=20 >=20 > I have a working configuration for Kerberized NFSv4 using Active > Directory 2003 functional level using > =A0Kernel 2.6.27 with krb5 1.6.3 and gssd 1.1.3. openSUSE 11.1 =A0Whe= n I > switch to openSUSE 11.2 (Kernel 2.6.31, krb5 1.70, gssd 1.1.3) > rpc.gssd -fvvvvv shows this error message (Failed to create machine > krb5 context) and gives me more errros like "gss_create_upcall for ui= d > 0 result -13" when I turn on rpc/nfs debugging using 'echo "65535" > > /proc/sys/sunrpc/rpc[nfs]_debug' >=20 > handling krb5 upcall > Full hostname for 'COMPUTRON.MYDOMAIN.ORG' is 'computron.mydomain.org= ' > Full hostname for 'phsgrid-03.fhcrc.org' is 'phsgrid-03.mydomain.org' > Key table entry not found while getting keytab entry for > 'root/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org' > Success getting keytab entry for 'nfs/phsgrid-03.mydomain.org@MYDOMAI= N.ORG' > Successfully obtained machine credentials for principal > 'nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org' stored in ccache > 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are > good until 1271522236 > using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for > machine creds > using environment variable to select krb5 ccache > FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG > creating context using fsuid 0 (save_uid 0) > creating tcp client for server COMPUTRON.MYDOMAIN.ORG > DEBUG: port already set to 2049 > creating context with server nfs-T9a8nxb3NlRDRic5mGcqrdUwMMlcnPbI@public.gmane.org > WARNING: Failed to create krb5 context for user with uid 0 for server > COMPUTRON.MYDOMAIN.ORG > WARNING: Failed to create machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG for server > COMPUTRON.MYDOMAIN.ORG > WARNING: Failed to create machine krb5 context with any credentials > cache for server COMPUTRON.MYDOMAIN.ORG > doing error downcall >=20 >=20 > now when replace krb5-1.7 with krb5-1.6.3 on openSUSE 11.2 everything > works again: >=20 > handling krb5 upcall > Full hostname for 'computron.mydomain.org' is 'computron.mydomain.org= ' > Full hostname for 'panther5.mydomain.org' is 'panther5.mydomain.org' > Key table entry not found while getting keytab entry for > 'root/panther5.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org' > Success getting keytab entry for 'nfs/panther5.mydomain.org@MYDOMAIN.= ORG' > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are > good until 1271518766 > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG' are > good until 1271518766 > using FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG as credentials cache for > machine creds > using environment variable to select krb5 ccache > FILE:/tmp/krb5cc_machine_MYDOMAIN.ORG > creating context using fsuid 0 (save_uid 0) > creating tcp client for server computron.mydomain.org > creating context with server nfs-rgSBCdXwyOrciAkCgRUzx7R8R3SVtaJk@public.gmane.org > DEBUG: serialize_krb5_ctx: lucid version! > prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and leng= th 8 > doing downcall >=20 >=20 > going to openSUSE11.3 (Kernel 2.6.34-rc3, gssd 1.2.1, krb5 1.8) does > not help either. executing > mount -t nfs4 -o rsize=3D65536,wsize=3D65536,sec=3Dkrb5 computron:/tm= p_iscsi tmp_iscsi > gives me the very some error message >=20 > after that I tried to install the rpm package of krb5 1.8.1 and also > 1.8.1 straight from source. I am always getting the same error messag= e > "Failed to create krb5 context" >=20 > > cat /etc/krb5.conf > [libdefaults] > =A0 =A0 =A0 =A0default_realm =3D FHCRC.ORG > =A0 =A0 =A0 =A0clockskew =3D 300 > =A0 =A0 =A0 =A0allow_weak_crypto =3D true > =A0 =A0 =A0 =A0default_tkt_enctypes =3D des-cbc-crc > =A0 =A0 =A0 =A0default_tgs_enctypes =3D des-cbc-crc > =A0 =A0 =A0 =A0#default_tkt_enctypes =3D des-cbc-md5 > =A0 =A0 =A0 =A0#default_tgs_enctypes =3D des-cbc-md5 > =A0 =A0 =A0 =A0#default_tkt_enctypes =3D rc4-hmac > =A0 =A0 =A0 =A0#default_tgs_enctypes =3D rc4-hmac > =A0 =A0 =A0 =A0#kdc_req_checksum_type =3D -138 > =A0 =A0 =A0 =A0#ap_req_checksum_type =3D -138 > =A0 =A0 =A0 =A0#safe_checksum_type =3D -138 > =A0 =A0 =A0 =A0#ccache_type =3D 3 > =A0 =A0 =A0 =A0#pkinit_eku_checking =3D kpServerAuth >=20 > >cat idmapd.conf > [General] > Verbosity =3D 0 > Pipefs-Directory =3D /var/lib/nfs/rpc_pipefs > Domain =3D mydomain.org > Local-Realm =3D MYDOMAIN.ORG >=20 > > klist -k -e -t > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp =A0 =A0 =A0 =A0 Principal > ---- ----------------- ----------------------------------------------= ---------- > =A0 3 12/31/69 16:00:00 nfs/phsgrid-03.mydomain.org-7RAbkED+uC3Rnqqr4xx/QQ@public.gmane.org (DES > cbc mode with CRC-32) >=20 >=20 > Thanks for your help Is the new nfs-utils compiled against libtirpc and the old one not? If so the problem may be that libtirpc wasn't allowing large enough tickets (AD tickets can be pretty large due to the presence of the PAC)= =2E Recent libtirpc has a patch which seems to fix this problem: [PATCH] libtirpc: allow larger ticket sizes with RPCSEC_GSS --=20 Jeff Layton