2008-10-18 13:03:53

by Michael Guntsche

[permalink] [raw]
Subject: Kerberos authentication Problem with nfs3/4

Hello list,

I had my kerberised NFS4 and NFS3 setup running in test mode up to the
end of April.
After seeing that there have been changes made to the recent code to
make NFS3+Kerberos working without sec=sys I tried to mount my exports
again with kerberos auth enabled.

But for some reason the setup is no longer working. My KDC has not
changed at all, and I did not change a thing in my NFS config as well.

My current setup:
Server running 2.6.27
nfs-utils 1.1.3 from debian.

klist -k from the server:

3 nfs/[email protected] (DES cbc mode with CRC-32)
4 host/[email protected] (Triple DES cbc mode with HMAC/
4 host/[email protected] (DES cbc mode with CRC-32)
4 imap/[email protected] (Triple DES cbc mode with HMAC/
4 imap/[email protected] (DES cbc mode with CRC-32)

For testing purposes I tried mounting the export from the server
itself which also did not work.



Mount command from the server to itself (sec=sys works):

mount -t nfs4 -osec=krb5 gibson:/media/ /mnt

rpc.gssd -vv -f:

beginning poll
handling krb5 upcall
Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at'
Key table entry not found while getting keytab entry for 'root/[email protected]
Success getting keytab entry for 'nfs/[email protected]'
Successfully obtained machine credentials for principal 'nfs/[email protected]
' stored in ccache 'FILE:/tmp/krb5cc_machine_COMSICK.AT'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_COMSICK.AT' are good
until 1224370141
using FILE:/tmp/krb5cc_machine_COMSICK.AT as credentials cache for
machine creds
using environment variable to select krb5 ccache FILE:/tmp/
creating context using fsuid 0 (save_uid 0)
creating tcp client for server gibson.comsick.at
creating context with server nfs-F/[email protected]
WARNING: Failed to create krb5 context for user with uid 0 for server
WARNING: Failed to create krb5 context for user with uid 0 with
credentials cache FILE:/tmp/krb5cc_machine_COMSICK.AT for server
WARNING: Failed to create krb5 context for user with uid 0 with any
credentials cache for server gibson.comsick.at
doing error downcall
Failed to write error downcall!
destroying client clntbe
destroying client clntbd

rpc.svcgsdd -vvf:

leaving poll
handling null request
sname = nfs/[email protected]
WARNING: get_ids: failed to map name 'nfs/
[email protected]' to uid/gid: Invalid argument
sending null reply
writing message: \x
2147483647 131072 0 \x \x
finished handling null request
entering poll

the mount command returns with

mount.nfs4: access denied by server while mounting gibson:/media/

I tried downgrading the kerberos server and also the nfs-utils
version. I also tried it with an older kernel version (2.6.25) but the
result was the same. All other kerberos stuff (ssh, imap) is working
so I think it has something to to with the nfs setup here.

As you can see the nfs entry is there too.