Hi kevin ,
I am using RHEL4 GA.
kernel : 2.6.9-5.EL
nfs-utils : nfs-utils-1.0.6-46
As per what you told , i have added entries on both
client and server.
*client:vcslinux6#klist -k /etc/krb5.keytab
2
nfs/[email protected]
*server:vcslinux5#klist -k /etc/krb5.keytab
2
nfs/[email protected]
*kdc:vcslinux1#klist -k /etc/krb5.keytab
2 root/[email protected]
2
nfs/[email protected]
3
nfs/[email protected]
2
nfs/[email protected]
I inserted rpcsec_gss_krb5 module on all machines.
started krb5kdc and kadmind.
started all nfs daemons , rpc.svcgssd , rpc.idmapd on
server and exported filesystem with proper options.
started rpc.idmapd on client(vcslinux6).
But when i run #rpc.gssd -m -v -f
Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS upcall
timed out.
Mar 17 11:13:03 vcslinux6 kernel: Please check user
daemon is running!
in log file:
Using keytab file '/etc/krb5.keytab'
WARNING: Decrypt integrity check failed while getting
initial ticket for principal
'nfs/[email protected]'
from keytab 'FILE:/etc/krb5.keytab'
ERROR: No usable machine credentials obtained
processing client list
-------
Then i tried making kvno for vcslinux5 (on kdc) = 2
i could not.
[root@vcslinux1 ~]# kadmin
Authenticating as principal
root/[email protected] with password.
Password for root/[email protected]:
kadmin: modprinc -kvno 2
nfs/vcslinux5.vxindia.veritas.com
Principal
"nfs/[email protected]"
modified.
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab
nfs/[email protected]
Entry for principal
nfs/[email protected]
with kvno 3, encryption type DES cbc mode with CRC-32
added to keytab WRFILE:/tmp/keytab.
Please let me know where i went wrong .
--- Kevin Coffman <[email protected]> wrote:
> Also, "failed reading uid from krb5 upcall" and
> "Failed to write error
> downcall" should not normally happen. What versions
> of kernel and
> nfs-utils do you have?
>
>
> > > Error in log file on mount
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> WARNING:
> > > failed reading uid from krb5 upcall pipe:
> Success
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> WARNING: Key
> > > table entry not found while getting initial
> ticket for
> > > principal
> > >
>
'nfs/[email protected]'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR:
> No
> > > usable machine credentials obtained
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> WARNING:
> > > Failed to obtain machine credentials for
> connection to
> > > server vcslinux1.vxindia.veritas.com
> > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> WARNING:
> > > Failed to create krb5 context for user with uid
> 0 with
> > > any credentials cache for server
> > > vcslinux1.vxindia.veritas.com
> > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed
> to
> > > write error downcall!
> > >
> > > thanks,
> > > --kiran
>
>
>
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kiran,
Try running rpc.gssd -f -vvv (really verbose and foreground) and
rpc.svcgssd -vvv -f
and see why it is failing. I has similar problems with NFSv4, before
updating all my packages (currently available in CITI website).
Possibly the path of libgssapi_krb5.so may not be proper. Check your
/etc/gssapi_mech.conf
Basically after installation of all packages, you need to create 2
principals in kdc server; one for server and one for client and
extract them appropriately.
Make sure all three machines are in Timesync and hostname of them are
resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd and rpc.nfsd in
server and rpc.idmapd and rpc.gssd in client.
HTH
Suresh
On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta kiran
<[email protected]> wrote:
> Hi kevin ,
> I am using RHEL4 GA.
> kernel : 2.6.9-5.EL
> nfs-utils : nfs-utils-1.0.6-46
>
> As per what you told , i have added entries on both
> client and server.
>
> *client:vcslinux6#klist -k /etc/krb5.keytab
> 2
> nfs/[email protected]
>
> *server:vcslinux5#klist -k /etc/krb5.keytab
>
> 2
> nfs/[email protected]
>
> *kdc:vcslinux1#klist -k /etc/krb5.keytab
>
> 2 root/[email protected]
> 2
> nfs/[email protected]
> 3
> nfs/[email protected]
> 2
> nfs/[email protected]
>
> I inserted rpcsec_gss_krb5 module on all machines.
> started krb5kdc and kadmind.
> started all nfs daemons , rpc.svcgssd , rpc.idmapd on
> server and exported filesystem with proper options.
>
> started rpc.idmapd on client(vcslinux6).
> But when i run #rpc.gssd -m -v -f
> Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS upcall
> timed out.
> Mar 17 11:13:03 vcslinux6 kernel: Please check user
> daemon is running!
>
> in log file:
> Using keytab file '/etc/krb5.keytab'
> WARNING: Decrypt integrity check failed while getting
> initial ticket for principal
> 'nfs/[email protected]'
> from keytab 'FILE:/etc/krb5.keytab'
> ERROR: No usable machine credentials obtained
> processing client list
>
> -------
> Then i tried making kvno for vcslinux5 (on kdc) = 2
> i could not.
> [root@vcslinux1 ~]# kadmin
> Authenticating as principal
> root/[email protected] with password.
> Password for root/[email protected]:
> kadmin: modprinc -kvno 2
> nfs/vcslinux5.vxindia.veritas.com
> Principal
> "nfs/[email protected]"
> modified.
> kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab
> nfs/[email protected]
> Entry for principal
> nfs/[email protected]
> with kvno 3, encryption type DES cbc mode with CRC-32
> added to keytab WRFILE:/tmp/keytab.
>
> Please let me know where i went wrong .
>
> --- Kevin Coffman <[email protected]> wrote:
> > Also, "failed reading uid from krb5 upcall" and
> > "Failed to write error
> > downcall" should not normally happen. What versions
> > of kernel and
> > nfs-utils do you have?
> >
> >
> > > > Error in log file on mount
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > WARNING:
> > > > failed reading uid from krb5 upcall pipe:
> > Success
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > WARNING: Key
> > > > table entry not found while getting initial
> > ticket for
> > > > principal
> > > >
> >
> 'nfs/[email protected]'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR:
> > No
> > > > usable machine credentials obtained
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > WARNING:
> > > > Failed to obtain machine credentials for
> > connection to
> > > > server vcslinux1.vxindia.veritas.com
> > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > WARNING:
> > > > Failed to create krb5 context for user with uid
> > 0 with
> > > > any credentials cache for server
> > > > vcslinux1.vxindia.veritas.com
> > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed
> > to
> > > > write error downcall!
> > > >
> > > > thanks,
> > > > --kiran
> >
> >
> >
> >
> -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist - [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfs
> >
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - now with 250MB free storage. Learn more.
> http://info.mail.yahoo.com/mail_250
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
>
--
"Good Luck is when preparation meets opportunity"
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Suresh ,
#rpc.gssd -f -vvv show the same output.
#rpc.svcgssd -f -vvv gives
WARNING: unable to locate function
krb5_gss_internal_release_oid in krb5
mechanism library: there will be problems
if multiple mechanisms are used!
entering poll
/etc/gssmech.conf file has entry
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
and this library exists in /usr/lib
All machines are in TimeSync.
thanks,
--kiran
--- Suresh Jayaram <[email protected]> wrote:
> Hi Kiran,
>
> Try running rpc.gssd -f -vvv (really verbose and
> foreground) and
> rpc.svcgssd -vvv -f
> and see why it is failing. I has similar problems
> with NFSv4, before
> updating all my packages (currently available in
> CITI website).
>
> Possibly the path of libgssapi_krb5.so may not be
> proper. Check your
> /etc/gssapi_mech.conf
>
> Basically after installation of all packages, you
> need to create 2
> principals in kdc server; one for server and one for
> client and
> extract them appropriately.
> Make sure all three machines are in Timesync and
> hostname of them are
> resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> and rpc.nfsd in
> server and rpc.idmapd and rpc.gssd in client.
>
> HTH
> Suresh
>
>
> On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> kiran
> <[email protected]> wrote:
> > Hi kevin ,
> > I am using RHEL4 GA.
> > kernel : 2.6.9-5.EL
> > nfs-utils : nfs-utils-1.0.6-46
> >
> > As per what you told , i have added entries on
> both
> > client and server.
> >
> > *client:vcslinux6#klist -k /etc/krb5.keytab
> > 2
> >
>
nfs/[email protected]
> >
> > *server:vcslinux5#klist -k /etc/krb5.keytab
> >
> > 2
> >
>
nfs/[email protected]
> >
> > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> >
> > 2 root/[email protected]
> > 2
> >
>
nfs/[email protected]
> > 3
> >
>
nfs/[email protected]
> > 2
> >
>
nfs/[email protected]
> >
> > I inserted rpcsec_gss_krb5 module on all machines.
> > started krb5kdc and kadmind.
> > started all nfs daemons , rpc.svcgssd ,
> rpc.idmapd on
> > server and exported filesystem with proper
> options.
> >
> > started rpc.idmapd on client(vcslinux6).
> > But when i run #rpc.gssd -m -v -f
> > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> upcall
> > timed out.
> > Mar 17 11:13:03 vcslinux6 kernel: Please check
> user
> > daemon is running!
> >
> > in log file:
> > Using keytab file '/etc/krb5.keytab'
> > WARNING: Decrypt integrity check failed while
> getting
> > initial ticket for principal
> >
>
'nfs/[email protected]'
> > from keytab 'FILE:/etc/krb5.keytab'
> > ERROR: No usable machine credentials obtained
> > processing client list
> >
> > -------
> > Then i tried making kvno for vcslinux5 (on kdc) =
> 2
> > i could not.
> > [root@vcslinux1 ~]# kadmin
> > Authenticating as principal
> > root/[email protected] with password.
> > Password for root/[email protected]:
> > kadmin: modprinc -kvno 2
> > nfs/vcslinux5.vxindia.veritas.com
> > Principal
> >
>
"nfs/[email protected]"
> > modified.
> > kadmin: ktadd -e des-cbc-crc:normal -k
> /tmp/keytab
> >
>
nfs/[email protected]
> > Entry for principal
> >
>
nfs/[email protected]
> > with kvno 3, encryption type DES cbc mode with
> CRC-32
> > added to keytab WRFILE:/tmp/keytab.
> >
> > Please let me know where i went wrong .
> >
> > --- Kevin Coffman <[email protected]> wrote:
> > > Also, "failed reading uid from krb5 upcall" and
> > > "Failed to write error
> > > downcall" should not normally happen. What
> versions
> > > of kernel and
> > > nfs-utils do you have?
> > >
> > >
> > > > > Error in log file on mount
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > WARNING:
> > > > > failed reading uid from krb5 upcall pipe:
> > > Success
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING: Key
> > > > > table entry not found while getting initial
> > > ticket for
> > > > > principal
> > > > >
> > >
> >
>
'nfs/[email protected]'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> ERROR:
> > > No
> > > > > usable machine credentials obtained
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING:
> > > > > Failed to obtain machine credentials for
> > > connection to
> > > > > server vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > WARNING:
> > > > > Failed to create krb5 context for user with
> uid
> > > 0 with
> > > > > any credentials cache for server
> > > > > vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> Failed
> > > to
> > > > > write error downcall!
> > > > >
> > > > > thanks,
> > > > > --kiran
> > >
> > >
> > >
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist - [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn
> more.
> > http://info.mail.yahoo.com/mail_250
> >
> >
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
one more thing.
On machine running kdc ,
entry for vcslinux5 is with kvno 3
while entry for vcslinux5 on vcslinux5 is with kvno
2 . Is this making a difference
thanks,
--kiran
--- Suresh Jayaram <[email protected]> wrote:
> Hi Kiran,
>
> Try running rpc.gssd -f -vvv (really verbose and
> foreground) and
> rpc.svcgssd -vvv -f
> and see why it is failing. I has similar problems
> with NFSv4, before
> updating all my packages (currently available in
> CITI website).
>
> Possibly the path of libgssapi_krb5.so may not be
> proper. Check your
> /etc/gssapi_mech.conf
>
> Basically after installation of all packages, you
> need to create 2
> principals in kdc server; one for server and one for
> client and
> extract them appropriately.
> Make sure all three machines are in Timesync and
> hostname of them are
> resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> and rpc.nfsd in
> server and rpc.idmapd and rpc.gssd in client.
>
> HTH
> Suresh
>
>
> On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> kiran
> <[email protected]> wrote:
> > Hi kevin ,
> > I am using RHEL4 GA.
> > kernel : 2.6.9-5.EL
> > nfs-utils : nfs-utils-1.0.6-46
> >
> > As per what you told , i have added entries on
> both
> > client and server.
> >
> > *client:vcslinux6#klist -k /etc/krb5.keytab
> > 2
> >
>
nfs/[email protected]
> >
> > *server:vcslinux5#klist -k /etc/krb5.keytab
> >
> > 2
> >
>
nfs/[email protected]
> >
> > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> >
> > 2 root/[email protected]
> > 2
> >
>
nfs/[email protected]
> > 3
> >
>
nfs/[email protected]
> > 2
> >
>
nfs/[email protected]
> >
> > I inserted rpcsec_gss_krb5 module on all machines.
> > started krb5kdc and kadmind.
> > started all nfs daemons , rpc.svcgssd ,
> rpc.idmapd on
> > server and exported filesystem with proper
> options.
> >
> > started rpc.idmapd on client(vcslinux6).
> > But when i run #rpc.gssd -m -v -f
> > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> upcall
> > timed out.
> > Mar 17 11:13:03 vcslinux6 kernel: Please check
> user
> > daemon is running!
> >
> > in log file:
> > Using keytab file '/etc/krb5.keytab'
> > WARNING: Decrypt integrity check failed while
> getting
> > initial ticket for principal
> >
>
'nfs/[email protected]'
> > from keytab 'FILE:/etc/krb5.keytab'
> > ERROR: No usable machine credentials obtained
> > processing client list
> >
> > -------
> > Then i tried making kvno for vcslinux5 (on kdc) =
> 2
> > i could not.
> > [root@vcslinux1 ~]# kadmin
> > Authenticating as principal
> > root/[email protected] with password.
> > Password for root/[email protected]:
> > kadmin: modprinc -kvno 2
> > nfs/vcslinux5.vxindia.veritas.com
> > Principal
> >
>
"nfs/[email protected]"
> > modified.
> > kadmin: ktadd -e des-cbc-crc:normal -k
> /tmp/keytab
> >
>
nfs/[email protected]
> > Entry for principal
> >
>
nfs/[email protected]
> > with kvno 3, encryption type DES cbc mode with
> CRC-32
> > added to keytab WRFILE:/tmp/keytab.
> >
> > Please let me know where i went wrong .
> >
> > --- Kevin Coffman <[email protected]> wrote:
> > > Also, "failed reading uid from krb5 upcall" and
> > > "Failed to write error
> > > downcall" should not normally happen. What
> versions
> > > of kernel and
> > > nfs-utils do you have?
> > >
> > >
> > > > > Error in log file on mount
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > WARNING:
> > > > > failed reading uid from krb5 upcall pipe:
> > > Success
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING: Key
> > > > > table entry not found while getting initial
> > > ticket for
> > > > > principal
> > > > >
> > >
> >
>
'nfs/[email protected]'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> ERROR:
> > > No
> > > > > usable machine credentials obtained
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING:
> > > > > Failed to obtain machine credentials for
> > > connection to
> > > > > server vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > WARNING:
> > > > > Failed to create krb5 context for user with
> uid
> > > 0 with
> > > > > any credentials cache for server
> > > > > vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> Failed
> > > to
> > > > > write error downcall!
> > > > >
> > > > > thanks,
> > > > > --kiran
> > >
> > >
> > >
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist - [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn
> more.
> > http://info.mail.yahoo.com/mail_250
> >
> >
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kiran,
Run rpc.gssd also in verbose mode
>>RPC: AUTH_GSS upcall timed out.
This means rpc.gssd is not running.
Check gssapi_mech.conf in client machine also.
Those Warning messages you can ignore..
Update your libgssapi and librpcsecgss packages (libgssapi-0.2 and
librpcsecgss-0.4)
HTH
Suresh
On Thu, 17 Mar 2005 04:56:53 -0800 (PST), mehta kiran
<[email protected]> wrote:
> one more thing.
>
> On machine running kdc ,
>
> entry for vcslinux5 is with kvno 3
> while entry for vcslinux5 on vcslinux5 is with kvno
> 2 . Is this making a difference
>
> thanks,
> --kiran
>
> --- Suresh Jayaram <[email protected]> wrote:
>
> > Hi Kiran,
> >
> > Try running rpc.gssd -f -vvv (really verbose and
> > foreground) and
> > rpc.svcgssd -vvv -f
> > and see why it is failing. I has similar problems
> > with NFSv4, before
> > updating all my packages (currently available in
> > CITI website).
> >
> > Possibly the path of libgssapi_krb5.so may not be
> > proper. Check your
> > /etc/gssapi_mech.conf
> >
> > Basically after installation of all packages, you
> > need to create 2
> > principals in kdc server; one for server and one for
> > client and
> > extract them appropriately.
> > Make sure all three machines are in Timesync and
> > hostname of them are
> > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> > and rpc.nfsd in
> > server and rpc.idmapd and rpc.gssd in client.
> >
> > HTH
> > Suresh
> >
> >
> > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > kiran
> > <[email protected]> wrote:
> > > Hi kevin ,
> > > I am using RHEL4 GA.
> > > kernel : 2.6.9-5.EL
> > > nfs-utils : nfs-utils-1.0.6-46
> > >
> > > As per what you told , i have added entries on
> > both
> > > client and server.
> > >
> > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > >
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > >
> > > 2 root/[email protected]
> > > 2
> > >
> >
> nfs/[email protected]
> > > 3
> > >
> >
> nfs/[email protected]
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > I inserted rpcsec_gss_krb5 module on all machines.
> > > started krb5kdc and kadmind.
> > > started all nfs daemons , rpc.svcgssd ,
> > rpc.idmapd on
> > > server and exported filesystem with proper
> > options.
> > >
> > > started rpc.idmapd on client(vcslinux6).
> > > But when i run #rpc.gssd -m -v -f
> > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> > upcall
> > > timed out.
> > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > user
> > > daemon is running!
> > >
> > > in log file:
> > > Using keytab file '/etc/krb5.keytab'
> > > WARNING: Decrypt integrity check failed while
> > getting
> > > initial ticket for principal
> > >
> >
> 'nfs/[email protected]'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > ERROR: No usable machine credentials obtained
> > > processing client list
> > >
> > > -------
> > > Then i tried making kvno for vcslinux5 (on kdc) =
> > 2
> > > i could not.
> > > [root@vcslinux1 ~]# kadmin
> > > Authenticating as principal
> > > root/[email protected] with password.
> > > Password for root/[email protected]:
> > > kadmin: modprinc -kvno 2
> > > nfs/vcslinux5.vxindia.veritas.com
> > > Principal
> > >
> >
> "nfs/[email protected]"
> > > modified.
> > > kadmin: ktadd -e des-cbc-crc:normal -k
> > /tmp/keytab
> > >
> >
> nfs/[email protected]
> > > Entry for principal
> > >
> >
> nfs/[email protected]
> > > with kvno 3, encryption type DES cbc mode with
> > CRC-32
> > > added to keytab WRFILE:/tmp/keytab.
> > >
> > > Please let me know where i went wrong .
> > >
> > > --- Kevin Coffman <[email protected]> wrote:
> > > > Also, "failed reading uid from krb5 upcall" and
> > > > "Failed to write error
> > > > downcall" should not normally happen. What
> > versions
> > > > of kernel and
> > > > nfs-utils do you have?
> > > >
> > > >
> > > > > > Error in log file on mount
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > > WARNING:
> > > > > > failed reading uid from krb5 upcall pipe:
> > > > Success
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING: Key
> > > > > > table entry not found while getting initial
> > > > ticket for
> > > > > > principal
> > > > > >
> > > >
> > >
> >
> 'nfs/[email protected]'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > ERROR:
> > > > No
> > > > > > usable machine credentials obtained
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING:
> > > > > > Failed to obtain machine credentials for
> > > > connection to
> > > > > > server vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > > WARNING:
> > > > > > Failed to create krb5 context for user with
> > uid
> > > > 0 with
> > > > > > any credentials cache for server
> > > > > > vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > Failed
> > > > to
> > > > > > write error downcall!
> > > > > >
> > > > > > thanks,
> > > > > > --kiran
> > > >
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist - [email protected]
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail - now with 250MB free storage. Learn
> > more.
> > > http://info.mail.yahoo.com/mail_250
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the hype.
> > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
--
"Good Luck is when preparation meets opportunity"
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi ,
I tried with new library.
libgssapi-0.2 and librpcsecgss-0.4 got installed
in /usr/local/lib.
Entry in /etc/gssapi_mech.conf has entry as
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
Still i get error while starting rpc.gssd
[root@vcslinux6 ~]# rpc.gssd -f -vvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal
'nfs/[email protected]'
We will use this entry
(nfs/[email protected])
WARNING: Decrypt integrity check failed while getting
initial ticket for principal
'nfs/[email protected]'
from keytab 'FILE:/etc/krb5.keytab'
ERROR: No usable machine credentials obtained
processing client list
and while mouting it says:
rpc.gssd may not be running...
May be i am going wrong in procedure of adding
entries in keytab.
Steps.
On machine runnnig KDC:
1.create database using kbd5_util create -s.
2.using "kadmin.local" interface
addprinc root/admin
ktadd -e des-cbc-crc:normal -k /tmp/keytab
root/admin
addprinc nfs/vcslinux5.vxindia.veritas.com
ktadd -e des-cbc-crc:normal -k /tmp/keytab
nfs/vcslinux5.vxindia.veritas.com
addprinc nfs/vcslinux6.vxindia.veritas.com
ktadd -e des-cbc-crc:normal -k /tmp/keytab
nfs/vcslinux6.vxindia.veritas.com
3.At the end do cp /tmp/keytab /etc/krb5.keytab.
4.Output of klist -k /etc/krb5.keytab
2 root/[email protected]
2
nfs/[email protected]
2
nfs/[email protected]
Machine running nfs server(vcslinux5)
1.create database using kdb5_util create -s
2. using "kadmin.local" interace create
entry for nfs/vcslinux5.vxindia.veritas.com
3.output of klist -k /etc/krb5.keytab
2
nfs/[email protected]
Similarly on machine running nfs client(vcslinux6)
after making entry using kadmin.local interface
for it
output of klist -k /etc/krb5.keytab
2
nfs/[email protected]
On "all" the machine , /etc/krb.conf
has foloowing entries for realms and domain_realms
[realms]
VXINDIA.VERITAS.COM = {
kdc = vcslinux1.vxindia.veritas.com:88
admin_server = vcslinux1.vxindia.veritas.com:749
default_domain = vxindia.veritas.com
}
[domain_realm]
.vxindia.veritas.com = VXINDIA.VERITAS.COM
vxindia.veritas.com = VXINDIA.VERITAS.COM
Did i go wrong anywhere ?
--thanks,
--kiran
--- Suresh Jayaram <[email protected]> wrote:
> Hi Kiran,
>
> Run rpc.gssd also in verbose mode
> >>RPC: AUTH_GSS upcall timed out.
> This means rpc.gssd is not running.
> Check gssapi_mech.conf in client machine also.
> Those Warning messages you can ignore..
>
> Update your libgssapi and librpcsecgss packages
> (libgssapi-0.2 and
> librpcsecgss-0.4)
>
> HTH
> Suresh
>
>
> On Thu, 17 Mar 2005 04:56:53 -0800 (PST), mehta
> kiran
> <[email protected]> wrote:
> > one more thing.
> >
> > On machine running kdc ,
> >
> > entry for vcslinux5 is with kvno 3
> > while entry for vcslinux5 on vcslinux5 is with
> kvno
> > 2 . Is this making a difference
> >
> > thanks,
> > --kiran
> >
> > --- Suresh Jayaram <[email protected]>
> wrote:
> >
> > > Hi Kiran,
> > >
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > >
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > >
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > >
> > > HTH
> > > Suresh
> > >
> > >
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <[email protected]> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > >
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > >
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > >
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > >
> > > > 2 root/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 3
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > >
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > >
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/[email protected]'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > >
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/[email protected] with password.
> > > > Password for root/[email protected]:
> > > > kadmin: modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/[email protected]"
> > > > modified.
> > > > kadmin: ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/[email protected]
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/[email protected]
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > >
> > > > Please let me know where i went wrong .
> > > >
> > > > --- Kevin Coffman <[email protected]> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen. What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
> > > > > > > Error in log file on mount
> > > > > > > Mar 16 14:58:43 vcslinux5
> rpc.gssd[4258]:
> > > > > WARNING:
> > > > > > > failed reading uid from krb5 upcall
> pipe:
> > > > > Success
> > > > > > > Mar 16 14:58:43 vcslinux5
> rpc.gssd[4405]:
> > > > > WARNING: Key
> > > > > > > table entry not found while getting
> initial
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
to den 17.03.2005 Klokka 23:43 (-0800) skreiv mehta kiran:
> On machine runnnig KDC:
> 1.create database using kbd5_util create -s.
> 2.using "kadmin.local" interface
> addprinc root/admin
> ktadd -e des-cbc-crc:normal -k /tmp/keytab
> root/admin
>
> addprinc nfs/vcslinux5.vxindia.veritas.com
> ktadd -e des-cbc-crc:normal -k /tmp/keytab
> nfs/vcslinux5.vxindia.veritas.com
>
> addprinc nfs/vcslinux6.vxindia.veritas.com
> ktadd -e des-cbc-crc:normal -k /tmp/keytab
> nfs/vcslinux6.vxindia.veritas.com
> 3.At the end do cp /tmp/keytab /etc/krb5.keytab.
> 4.Output of klist -k /etc/krb5.keytab
>
> 2 root/[email protected]
> 2
> nfs/[email protected]
> 2
> nfs/[email protected]
>
No. All you want to do is
On machine runnnig KDC:
1.create database using kbd5_util create -s.
2.using "kadmin.local" interface
addprinc root/admin
addprinc nfs/vcslinux5.vxindia.veritas.com
ktadd -e des-cbc-crc:normal -k /tmp/keytab.vclinux5 nfs/vcslinux5.vxindia.veritas.com
addprinc nfs/vcslinux6.vxindia.veritas.com
ktadd -e des-cbc-crc:normal -k /tmp/keytab.vcslinux6 nfs/vcslinux6.vxindia.veritas.com
Then copy /tmp/keytab.vclinux5 to /etc/krb5.keytab on vclinux5,
copy /tmp/keytab.vclinux6 to /etc/krb5.keytab on vclinux6,...
Then just delete /tmp/keytab.vclinux*
scp -p /tmp/keytab.vclinux5 vclinux5:/etc/krb5.keytab
scp -p /tmp/keytab.vclinux6 vclinux6:/etc/krb5.keytab
rm /tmp/keytab.vclinux5 /tmp/keytab.vclinux6
IOW:
- Since the KDC is the trusted server that authenticates your
credentials, you _must_ be using keytabs generated by the KDC on each
client.
- The server does not need to have a copy of the keytab.
- The clients do no need to have a copy of any keytab entry other than
their own.
Your /etc/krb.conf really needs to be a /etc/krb5.conf, but otherwise,
the entries in your mail looked OK.
Cheers,
Trond
--
Trond Myklebust <[email protected]>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Kiran,
Sorry, I was away for a few days with bad connectivity.
Each time you run the "ktadd" command to create a keytab entry, the key
version number (kvno) for that principal is updated. You cannot simply
modify the kvno for a principal because the kvno is associated with the
key. I'd advise throwing out the keytab on vcslinux5 and create a new
keytab for that principal.
P.S. Here is what the ktadd command does:
- It generates a new random key value for the
principal (with a new key version)
- It puts this new key into the Kerberos DB, replacing
any previous key with a lower kvno
- It puts this new key into the keytab file that was
specified
Therefore, each time you run ktadd, the old keytab entry
becomes obsolete.
> one more thing.
>
> On machine running kdc ,
>
> entry for vcslinux5 is with kvno 3
> while entry for vcslinux5 on vcslinux5 is with kvno
> 2 . Is this making a difference
>
> thanks,
> --kiran
>
>
>
> --- Suresh Jayaram <[email protected]> wrote:
>
> > Hi Kiran,
> >
> > Try running rpc.gssd -f -vvv (really verbose and
> > foreground) and
> > rpc.svcgssd -vvv -f
> > and see why it is failing. I has similar problems
> > with NFSv4, before
> > updating all my packages (currently available in
> > CITI website).
> >
> > Possibly the path of libgssapi_krb5.so may not be
> > proper. Check your
> > /etc/gssapi_mech.conf
> >
> > Basically after installation of all packages, you
> > need to create 2
> > principals in kdc server; one for server and one for
> > client and
> > extract them appropriately.
> > Make sure all three machines are in Timesync and
> > hostname of them are
> > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> > and rpc.nfsd in
> > server and rpc.idmapd and rpc.gssd in client.
> >
> > HTH
> > Suresh
> >
> >
> > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > kiran
> > <[email protected]> wrote:
> > > Hi kevin ,
> > > I am using RHEL4 GA.
> > > kernel : 2.6.9-5.EL
> > > nfs-utils : nfs-utils-1.0.6-46
> > >
> > > As per what you told , i have added entries on
> > both
> > > client and server.
> > >
> > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > >
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > >
> > > 2 root/[email protected]
> > > 2
> > >
> >
> nfs/[email protected]
> > > 3
> > >
> >
> nfs/[email protected]
> > > 2
> > >
> >
> nfs/[email protected]
> > >
> > > I inserted rpcsec_gss_krb5 module on all machines.
> > > started krb5kdc and kadmind.
> > > started all nfs daemons , rpc.svcgssd ,
> > rpc.idmapd on
> > > server and exported filesystem with proper
> > options.
> > >
> > > started rpc.idmapd on client(vcslinux6).
> > > But when i run #rpc.gssd -m -v -f
> > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> > upcall
> > > timed out.
> > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > user
> > > daemon is running!
> > >
> > > in log file:
> > > Using keytab file '/etc/krb5.keytab'
> > > WARNING: Decrypt integrity check failed while
> > getting
> > > initial ticket for principal
> > >
> >
> 'nfs/[email protected]'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > ERROR: No usable machine credentials obtained
> > > processing client list
> > >
> > > -------
> > > Then i tried making kvno for vcslinux5 (on kdc) =
> > 2
> > > i could not.
> > > [root@vcslinux1 ~]# kadmin
> > > Authenticating as principal
> > > root/[email protected] with password.
> > > Password for root/[email protected]:
> > > kadmin: modprinc -kvno 2
> > > nfs/vcslinux5.vxindia.veritas.com
> > > Principal
> > >
> >
> "nfs/[email protected]"
> > > modified.
> > > kadmin: ktadd -e des-cbc-crc:normal -k
> > /tmp/keytab
> > >
> >
> nfs/[email protected]
> > > Entry for principal
> > >
> >
> nfs/[email protected]
> > > with kvno 3, encryption type DES cbc mode with
> > CRC-32
> > > added to keytab WRFILE:/tmp/keytab.
> > >
> > > Please let me know where i went wrong .
> > >
> > > --- Kevin Coffman <[email protected]> wrote:
> > > > Also, "failed reading uid from krb5 upcall" and
> > > > "Failed to write error
> > > > downcall" should not normally happen. What
> > versions
> > > > of kernel and
> > > > nfs-utils do you have?
> > > >
> > > >
> > > > > > Error in log file on mount
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > > WARNING:
> > > > > > failed reading uid from krb5 upcall pipe:
> > > > Success
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING: Key
> > > > > > table entry not found while getting initial
> > > > ticket for
> > > > > > principal
> > > > > >
> > > >
> > >
> >
> 'nfs/[email protected]'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > ERROR:
> > > > No
> > > > > > usable machine credentials obtained
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING:
> > > > > > Failed to obtain machine credentials for
> > > > connection to
> > > > > > server vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > > WARNING:
> > > > > > Failed to create krb5 context for user with
> > uid
> > > > 0 with
> > > > > > any credentials cache for server
> > > > > > vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > Failed
> > > > to
> > > > > > write error downcall!
> > > > > >
> > > > > > thanks,
> > > > > > --kiran
> > > >
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist - [email protected]
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail - now with 250MB free storage. Learn
> > more.
> > > http://info.mail.yahoo.com/mail_250
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the hype.
> > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi ,
I tried things as directed by Trond in
his previous mail and everything seemed to work
fine initally. but when i rebooted system ,
it started giving error whenever i start rpc.gssd
on client machine.
Error is :
[root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
rpc.gssd[3487]: WARNING: Key table entry not found
while getting initial ticket for principal
'nfs/[email protected]'
from keytab 'FILE:/etc/krb5.keytab'
Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
usable machine credentials obtained
while #klist -k /etc/krb5.keytab gives
2
nfs/[email protected]
I even tried by recreating kerberos database but in
vain. I still get the same error.
I observed one more thing.
Whenver i create principal(other then root/admin) ,
passwords i enter for them during their creation
are not accepted by kinit.
Please let me know where i went wrong.
--thanks,
--kiran
--- Kevin Coffman <[email protected]> wrote:
> Kiran,
> Sorry, I was away for a few days with bad
> connectivity.
>
> Each time you run the "ktadd" command to create a
> keytab entry, the key
> version number (kvno) for that principal is updated.
> You cannot simply
> modify the kvno for a principal because the kvno is
> associated with the
> key. I'd advise throwing out the keytab on
> vcslinux5 and create a new
> keytab for that principal.
>
>
> P.S. Here is what the ktadd command does:
> - It generates a new random key value for the
> principal (with a new key version)
> - It puts this new key into the Kerberos DB,
> replacing
> any previous key with a lower kvno
> - It puts this new key into the keytab file that was
> specified
>
> Therefore, each time you run ktadd, the old keytab
> entry
> becomes obsolete.
>
>
> > one more thing.
> >
> > On machine running kdc ,
> >
> > entry for vcslinux5 is with kvno 3
> > while entry for vcslinux5 on vcslinux5 is with
> kvno
> > 2 . Is this making a difference
> >
> > thanks,
> > --kiran
> >
> >
> >
> > --- Suresh Jayaram <[email protected]>
> wrote:
> >
> > > Hi Kiran,
> > >
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > >
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > >
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > >
> > > HTH
> > > Suresh
> > >
> > >
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <[email protected]> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > >
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > >
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > >
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > >
> > > > 2 root/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 3
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > >
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > >
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/[email protected]'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > >
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/[email protected] with password.
> > > > Password for root/[email protected]:
> > > > kadmin: modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/[email protected]"
> > > > modified.
> > > > kadmin: ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/[email protected]
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/[email protected]
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > >
> > > > Please let me know where i went wrong .
> > > >
> > > > --- Kevin Coffman <[email protected]> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen. What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin,
I tried things as directed by Trond in
his previous mail and everything seemed to work
fine initally. but when i rebooted system ,
it started giving error whenever i start rpc.gssd
on client machine.
Error is :
[root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
rpc.gssd[3487]: WARNING: Key table entry not found
while getting initial ticket for principal
'nfs/[email protected]'
from keytab 'FILE:/etc/krb5.keytab'
Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
usable machine credentials obtained
while #klist -k /etc/krb5.keytab gives
2
nfs/[email protected]
I even tried by recreating kerberos database but in
vain. I still get the same error.
I observed one more thing.
Whenver i create principal(other then root/admin) ,
passwords i enter for them during their creation
are not accepted by kinit.
Please let me know where i went wrong.
--thanks,
--kiran
--- Kevin Coffman <[email protected]> wrote:
> Kiran,
> Sorry, I was away for a few days with bad
> connectivity.
>
> Each time you run the "ktadd" command to create a
> keytab entry, the key
> version number (kvno) for that principal is updated.
> You cannot simply
> modify the kvno for a principal because the kvno is
> associated with the
> key. I'd advise throwing out the keytab on
> vcslinux5 and create a new
> keytab for that principal.
>
>
> P.S. Here is what the ktadd command does:
> - It generates a new random key value for the
> principal (with a new key version)
> - It puts this new key into the Kerberos DB,
> replacing
> any previous key with a lower kvno
> - It puts this new key into the keytab file that was
> specified
>
> Therefore, each time you run ktadd, the old keytab
> entry
> becomes obsolete.
>
>
> > one more thing.
> >
> > On machine running kdc ,
> >
> > entry for vcslinux5 is with kvno 3
> > while entry for vcslinux5 on vcslinux5 is with
> kvno
> > 2 . Is this making a difference
> >
> > thanks,
> > --kiran
> >
> >
> >
> > --- Suresh Jayaram <[email protected]>
> wrote:
> >
> > > Hi Kiran,
> > >
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > >
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > >
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > >
> > > HTH
> > > Suresh
> > >
> > >
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <[email protected]> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > >
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > >
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > >
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > >
> > > > 2 root/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 3
> > > >
> > >
> >
>
nfs/[email protected]
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > > >
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > >
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > >
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/[email protected]'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > >
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/[email protected] with password.
> > > > Password for root/[email protected]:
> > > > kadmin: modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/[email protected]"
> > > > modified.
> > > > kadmin: ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/[email protected]
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/[email protected]
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > >
> > > > Please let me know where i went wrong .
> > > >
> > > > --- Kevin Coffman <[email protected]> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen. What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
>
> Hi ,
> I tried things as directed by Trond in
> his previous mail and everything seemed to work
> fine initally. but when i rebooted system ,
> it started giving error whenever i start rpc.gssd
> on client machine.
> Error is :
>
> [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> rpc.gssd[3487]: WARNING: Key table entry not found
> while getting initial ticket for principal
> 'nfs/[email protected]'
> from keytab 'FILE:/etc/krb5.keytab'
> Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
> usable machine credentials obtained
>
>
> while #klist -k /etc/krb5.keytab gives
> 2
> nfs/[email protected]
I'm confused by this, but I do not know what to look for.
> I even tried by recreating kerberos database but in
> vain. I still get the same error.
If you recreated the Kerberos database, you need to
create new principals and keytab files. Did you do this?
> I observed one more thing.
> Whenver i create principal(other then root/admin) ,
> passwords i enter for them during their creation
> are not accepted by kinit.
This is also strange and _might_ be related. How are
you creating the principals -- using kadmin or kadmin.local?
Which principals are you referring to here?
>
> Please let me know where i went wrong.
>
> --thanks,
> --kiran
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs