Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2875272rwb; Mon, 19 Sep 2022 11:16:13 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7mwhFGrYrAO6LJyi8fopvzD77fKEWvVx0y1gEE2NKmjHqFRPz1OAFXYW44xS0uYyHylDEI X-Received: by 2002:a17:903:234c:b0:178:1a7c:28a5 with SMTP id c12-20020a170903234c00b001781a7c28a5mr996073plh.32.1663611373521; Mon, 19 Sep 2022 11:16:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1663611373; cv=pass; d=google.com; s=arc-20160816; b=chwzJjiaEdg0s5XYCFj74VsL+0ik1tG5A7iFXnZ4DFyLCTLVRNIKjjqod1o0T///0L wcIBGWXZUJG98kh9ghEiVqmLU1sne+we0H2tc8U5x/qWL7F56qliZNMr5c1duqN+lIQh 0GhaLcyakaH4Eb7I1GBzgVTvYmhnHJhur1A3IHgFRDW5PsFDzlvGqxfqEI6377KeOLNm xDVCRMSqI4beBGLpianEJyiqW/oyb9KMQluraNOXlclQWB9jH8xuPsor1tOv6arx1A5A NYTji+EAdhJx5R3zxbqdRhNQ96RE+6TbAWnrXF+S2Rarc0oPriLRGdTGkFzroy4HCY+W fb/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature:dkim-signature; bh=1T2ewM8FG/daO4Mt8IAP6jg1xhOBhk3EdIGz3cSPu3c=; b=bgVLiOnDYudjkerEJqYutxEPEmowQjUmgVbqsTy/amWjrADvr8EXmbtlq6N37Q6YqW vqM+QwrnMkCtfsVgfd3BvZfOFyq7ZCli47KFMALNjRk4r7r9WKX9QPuOcumt2F+PriDl ia4cSAJmb5ELfLupzrlCjm+ugd/ABimlqn0rUNRKZi9MPmFdTilSPKrRAAiDTT3TCyVD r8K2B+FR1nUJcWjTVtkdubwquWujEqSwz2JebSAFE1/VLRpMkVJ01UYuk7eGbpsgwzmg /xRtD67+W/bUV+36Nh3CcYKDmq3HYnlekauQ7WRk66cb1nOJkeY5aXMLqPvSE9Y9i7Dd 5f5A== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=sTAUdHMr; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=dAIIjSb9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u18-20020a056a00099200b0053e67522538si32886363pfg.331.2022.09.19.11.15.58; Mon, 19 Sep 2022 11:16:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=sTAUdHMr; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=dAIIjSb9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229553AbiISSPq (ORCPT + 99 others); Mon, 19 Sep 2022 14:15:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229519AbiISSPo (ORCPT ); Mon, 19 Sep 2022 14:15:44 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B590F46201 for ; Mon, 19 Sep 2022 11:15:42 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28JGO499002811; Mon, 19 Sep 2022 18:15:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2022-7-12; bh=1T2ewM8FG/daO4Mt8IAP6jg1xhOBhk3EdIGz3cSPu3c=; b=sTAUdHMr8ULy8QHfPmRU4DMZKNHZbSlPIm8z6EYRzgdAWkPcNS3gO++e/QruijQbmNZj klYBhw9o+JqbTzFNDZ9SZKk/8mMCmyB5JzRhd9ZN8Lf92BAhdQwUXLMkOwDj4ZJ9M/0z gxfh2R6Pgh9AAPX4LqGu8z5AlCBLyqGH5Drsw+Nw++uyF7BzbDU9lluWCniS3wH2s4hM lWShwqL6SbT0+CpSEgv0UW0R4cyvTOIMsVCKx7oj/bkBneppV+3Div1UfGkPvTai9Xhw xBLrcqXVzQ20NWn8LLp0AvQNGQMIc01pNyAAF9B7wgHGMAhoj9YL6a3N8Z6arOAwWA+9 9w== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3jn688cgr2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Sep 2022 18:15:38 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 28JGbWrL016766; Mon, 19 Sep 2022 18:15:37 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3jp3cmc33j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Sep 2022 18:15:37 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hAM9BsGfXyLCodYZSMjNSHBla4NydwGz+3/kF963qH1ydw1rZNELmky2lWdxKPj9zE/zSpJfUFQvvqZkE9509K4Ay7Dp3gj4iA+BhZ9KjhBm55bg3dGWdoSoPELBOiQFiTiu9jtU7+n1j172OzfeBQVOpF59jUq9Eipcsh44Gpa+pEZXygKyy36TzelB+pygLiXtRTlN9tVEqFyElPPSpuvHaMpX6lRsOCkaWDoYKv6PsLoP1IRsIs5f6chX/+ZrQLeoXZ5aVnSO+uA0rsdo6pA1qB3g6sSyyQS8ioB+MKpPPZ67NpHU5DFrJQhc7UWF+Kj9CtCqPDMXpnCBcYpvHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1T2ewM8FG/daO4Mt8IAP6jg1xhOBhk3EdIGz3cSPu3c=; b=MIbS6AweU2P39yhCO2ZWlErB9VKyaElyNufHN6vQQ7RS0Er+GFFF/Mmk9RRh0Em+bvwpAoRBkgzGMG9GIMcE/+uMLeMpL4p9DmW2gz/Twjki9NUDgmmH94hDlvjTNxARN6u1HTRuqyqIYJUCx2DX2Wvu0guDSCAtpBRpGrko3AYzy/CervgHKhWXA3FMz1VCncJED4jP/mAD5kloRTErT27JpSi2zpi0XPZjMPu1K4ehW3KbM453k04ZUhcX+QNFa8G+JJ3phOUvrlRtD1nVJGT7S11f3O+Isciy79FFop38zg1TuBOpOJKJBNyiCRDQeErgjzVmN2EINTMA/DIaQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1T2ewM8FG/daO4Mt8IAP6jg1xhOBhk3EdIGz3cSPu3c=; b=dAIIjSb9Y2YrRBk8D5UeTQpm7mCbXlxtu341AVg0aFmJ5Z1KZmHT2jPQ01gwNCEm9Hc0Q3JeZkb7HQhr/vwVwZF2YACYui8Xcp79u6zJ2b3LGNwWaS+jxph/NpfTn7AmI+IuW/2tSzsUwDfZTUQFT4wwRrVInUgJmRWWF/PSRi4= Received: from BN0PR10MB5128.namprd10.prod.outlook.com (2603:10b6:408:117::24) by BY5PR10MB4308.namprd10.prod.outlook.com (2603:10b6:a03:203::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.21; Mon, 19 Sep 2022 18:15:35 +0000 Received: from BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::25d6:da15:34d:92fa]) by BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::25d6:da15:34d:92fa%6]) with mapi id 15.20.5632.021; Mon, 19 Sep 2022 18:15:35 +0000 From: Chuck Lever III To: Trond Myklebust CC: Linux NFS Mailing List , Steve Dickson Subject: Re: NFSv4.0 callback with Kerberos not working Thread-Topic: NFSv4.0 callback with Kerberos not working Thread-Index: AQHYzDztMjvFTe1YQk+Xo2ZaIaryZK3nCq2AgAAEdwA= Date: Mon, 19 Sep 2022 18:15:35 +0000 Message-ID: <1BEBDDFF-EB65-47E4-83F4-DA2F680B940E@oracle.com> References: <4e79b32842427aa92bf62c5c645430bd23b413e4.camel@hammerspace.com> In-Reply-To: <4e79b32842427aa92bf62c5c645430bd23b413e4.camel@hammerspace.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3696.120.41.1.1) x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BN0PR10MB5128:EE_|BY5PR10MB4308:EE_ x-ms-office365-filtering-correlation-id: 5a215573-90b3-45f2-b17e-08da9a6af29f x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: tRrAHiV15eQh9txvdGblMXl1bIsXKaYIyqpSOTeOm46ZUODXZVsnjb8NFPxYaNvV++jLl8eFSECvqECoFNuWE7oe4kDR4gNCMieGu6EArY3bWrbaSlD+SvVVFmLhKm7eJ8huJ7cte8Mtpm83pJ0z1jupzw6qTDZ+LhK6z85Phw4/kWK54PtH9voPhpeFizlxHwQYU7gwmc9frWw6mL6bgqq9zQdxywYFd6dx9xba5Uln/hWKz9B9h8TgmGk9n4uoC3b/1AZVD3IPoVqN7GPnDzCKZKyX7a2V56a3eVvjPdMPndtdqTjOHoEfAH0lokJKW6o5oTnA73T55aNLLUpMyC6G3cH5zHo1hNeXAYfzv9tCFAPBdhcB59WBoCgrsNK48sK8gbhEwplVlQuQm2mdjNd+AZyEsaMZUTBXRRlj/MGVtW+BESFIfPMkmXOVEsFUqzK/VoP1/sryaePkpr8FfmkLdNVR5wnmCctbA92wl6DBbErUZrm++jGU73hyYA6aZCyrA5ZWVgMka6s+uoZwxruHHu4hvJrstHCtZNZ1R402hg3fVNMh/ZfPWT0UDzEDotepuWQuxEQItL5JAitoeallwAuBxuDKLqwTwk3aWtjBfQFKljf1ijjSQbVttQ+lUu1KEfyqGKKScJtoIIm14orbNpjO7bZetP5F3LRy9CSAzqBS34hQE1mmvLzKZeiWYkGM2paSoLFwlRyzLhAtDe5huCjKVWh46KBBhge2C8P4S4EwApgqbE9+2lzblPi65k76iE1ZYkOGvQzLAdQ8Nd7WVFtjTMYtekHSrhUV9VQ= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR10MB5128.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(346002)(376002)(396003)(39860400002)(366004)(451199015)(66556008)(64756008)(76116006)(66946007)(4326008)(5660300002)(8676002)(66476007)(66446008)(6916009)(91956017)(86362001)(8936002)(54906003)(316002)(33656002)(122000001)(38100700002)(83380400001)(53546011)(41300700001)(6486002)(6506007)(71200400001)(478600001)(2616005)(186003)(26005)(6512007)(38070700005)(2906002)(36756003)(45980500001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?9d16VNx6zxhL3gUsR6jlFKidxW4pss/JjGtyV2Gtk1WLCanL1Rfa4Qq+kNV1?= =?us-ascii?Q?62xuEemT2mEoXYBw5zTLTZQCEXlPARLuBmmH+UpKf3j1MCbVy+0mRB2i6kQ1?= =?us-ascii?Q?p9WR4VxrkFY3bXTJ3fm0IeAjf3P3u6jprMB1j+GfnoK/gXKKCSlmEvcj1kUg?= =?us-ascii?Q?eo2iQjM0EchiJm3I0E+w66SDmZK3ERnGJ22wppE9W2Rv0GSNvYv5c+nSXPJh?= =?us-ascii?Q?uEj2uwSq7jmenRF/LN48JiBZJLFGlkt4MFXaW6JjGSHRD1UlWpEuV+csAtu2?= =?us-ascii?Q?QNm8HJ36f4NKvKjWDfFy3eLg9keMYDpGf2qdvdzhw9aAOggW29zoQGh17MJl?= =?us-ascii?Q?7BRaCpbkLqcegSOBpq16YdRfi6gDvMxeQdfj82nNrSMZxYzNcZk1RbixZSBl?= =?us-ascii?Q?SGypGCu1WsuXyuZPmsJM5IURndcwoPGjX3Ok7sz3dZt2oEVcy8MC8qRPbzo/?= =?us-ascii?Q?l+p2H7PTYErQtaE0YM5r9PY/pGWWKlokcY/Wj5JtN/kltVvbePjsWMyvk8Gl?= =?us-ascii?Q?Hv2j85AQDe5EwjqU12qebDgbO0wur2QH674UHufR0KmYGCgJR/0P2gOPGL18?= =?us-ascii?Q?MLWl62QbSNDG6w8zBRH5EoGPvf4ARPuPe8L8fZ3QzD13RIbrTTryGfLhsFcR?= =?us-ascii?Q?5obeNfsDwAxYuJg9oZCMet2ilRunExeQ45UfJgvhNdnItcoKwBg6oMSnduVz?= =?us-ascii?Q?RfbMNx6izpJNfjWOhIYAMgXYBjA0cTo/5eYG77XIoULDmvC/6/5o8kJVRCsv?= =?us-ascii?Q?b/Lz1OF6XlXP3qNQVZS6Ke7fMbIx/HzZvMygySCQH8062TXoaI6QoijiKcMX?= =?us-ascii?Q?QYc02fRHzP3aplkH5Mxk1ZPoYUYT+wsdenVzLfAPUKdZINKJLE9fzKtmliMH?= =?us-ascii?Q?7GO50eCmbkgULawEptPofNcNSGGVL+6dOOXV7yq5f5wqjlwyQhVqwsIihSze?= =?us-ascii?Q?qWbGn3/pgek0FxPU9QhTvBhFYnYjS6uzJYe+9T4OumavCcmEBRoEqqozifpP?= =?us-ascii?Q?r70Zu1XN0M4cEbHXueUtuTmPQH/T9ThIcWQllhQR09voH21F23E2ei5v+9RY?= =?us-ascii?Q?7p4fU/bHMgFFbWZdKFo7Rthdoki65jCLa9d9yHKzmEclGuVGMGEgXm3RAH1l?= =?us-ascii?Q?tzhlwo0916BQHWRi/aLx5wYAKbzW0GxeVWNBSXPD3uQX5r6CUib0L7vYUZPU?= =?us-ascii?Q?3u1e/oHUJnxLUCTiEUqdOrK/4G4bqshf6pyfio9RrtkxnImFMmhUlJSgxa2Q?= =?us-ascii?Q?nKYQOyubQWwiQia5+BQLbzQtp3bYWGGtZu8j4BdpEg7zec8tMOjSOHZtlgBJ?= =?us-ascii?Q?oRTmKpaD7RU3fp4FRvy+nolOfJkQWuzbzGPD1haHoxOWfIrEYlM5Eg+gpAim?= =?us-ascii?Q?LQYS2cH+P3cOYcRwLDGZQHmn8/1urzF4w1RAXy0qkBVo1bt+Zf2B6EwXwP16?= =?us-ascii?Q?Xh2BPUzm/OXXs7CKiEmpwrsZLr+0j58JG5IelsmcVYbJLzpMsvusDuRqrMca?= =?us-ascii?Q?NFYMxD3djPNOsz7dN39aIdx06uFRnzHkfadMok/si1qjgti/Du/L+g3IzBmY?= =?us-ascii?Q?bHRgS04fx5Md5SCfJiVWd+uRbs1YPUgStI7XTSp1z6LCNmGnt5mCR6w68Ruf?= =?us-ascii?Q?bg=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-ID: <008F9E1D13E6AF45B3A1133CAD2BA24E@namprd10.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5a215573-90b3-45f2-b17e-08da9a6af29f X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2022 18:15:35.3641 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: JHazLg3mE4zMf65z/KnxBAio4hhWGR4qMZR9LBFOVTFouyky4tGegk3/IVyYU2UWZg4bEjZViWeMNBQJRhctjw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4308 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-19_05,2022-09-16_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 malwarescore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2209190122 X-Proofpoint-GUID: V6NItoDS_AwaXWIKjcZjwuabFeL7anVQ X-Proofpoint-ORIG-GUID: V6NItoDS_AwaXWIKjcZjwuabFeL7anVQ X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org > On Sep 19, 2022, at 1:59 PM, Trond Myklebust wr= ote: >=20 > On Mon, 2022-09-19 at 15:31 +0000, Chuck Lever III wrote: >> Hi- >>=20 >> I rediscovered recently that NFSv4.0 with Kerberos does not work on >> multi-homed hosts. This is true even with sec=3Dsys because the client >> attempts to establish a GSS context when there is a keytab present. >>=20 >> Basically my test environment has to work for sec=3Dsys and sec=3Dkrb* >> and for all NFS versions and minor versions. Thus I keep a keytab >> on it. >>=20 >> Now, I have three network interfaces on my client: one RoCE, one >> IB, and one GbE. They are each on their own subnet and each has >> a unique hostname (that varies in the domain part). >>=20 >> But mounting one of my IB or RoCE test servers with NFSv4.0 results >> in the infamous "NFSv4: Invalid callback credential" message. The >> client always uses the principal for GbE interface. >>=20 >> This was working at one point, but seems to have devolved over time. >>=20 >>=20 >> Here are some of the problems I found: >>=20 >> 1. The kernel always asks for service=3D* . >>=20 >> If your system's keytab has only "nfs" service principals in it, >> that should be OK. If it has a "host" principal in it, that's >> going to be the first one that gssd picks up. >>=20 >> NFSv4.0 callback does not work with a host@ acceptor -- it wants >> nfs@. >>=20 >> There are two possible workarounds: >>=20 >> a. Remove all but the nfs@ keys from your system's keytab. >>=20 >> b. Modify the kernel to use "service=3Dnfs" in the upcall. >>=20 >=20 > There's also >=20 > c. Put the nfs service principal in its own keytab and use the '-k' > option to tell rpc.gssd where to find it. >=20 > However note that 'host/' is normally the expected > principal name for authenticating as a specific hostname. So I'd expect > clients to want to authenticate using that credential so that it is > matched to the hostname entry in /etc/exports on the server. >=20 > The 'nfs/' would normally be considered a NFS service > principal name, so should really be used by the NFSv4 server to > identify its service (see RFC5661 Section 2.2.1.1.1.3.) rather than > being used by the NFS client. Fair enough, we can leave the client's service name alone. > The same principal is also used by the NFSv4 server to identify itself > when acting as a client to the NFS callback service according to > RFC7530 section 3.3.3. > So what I'm saying is that for the standard NFS client, then '*' is > probably the right thing to use (with a slight preference for 'host/'), > but for the NFS server use case of connecting to the callback service, > it should specify the 'nfs/' prefix. It can do that right now by > setting the clnt->cl_principal. As far as I can tell, the current > behaviour in knfsd is to set it to the same prefix as the server > svc_cred, and to default to 'nfs/' if the server svc_cred doesn't have > such a prefix. The server uses the client-provided service name in this case. If the client authenticates as "host@" then the server will authenticate to the "host@" service on the backchannel. Maybe the only mismatch is that my server is using "host@client.ib.example.net" on the backchannel, and it should be using "host@client.example.net" instead? -- Chuck Lever