From: mehta kiran <kiranmehta1981@yahoo.com>
Subject: Re: problem mounting using NFSv4 when using -o sec=krb5  option
Date: Tue, 22 Mar 2005 07:15:04 -0800 (PST)
Message-ID: <20050322151504.31072.qmail@web51605.mail.yahoo.com>
References: <20050322141813.CC1CE1BBA5@citi.umich.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: nfs@lists.sourceforge.net
Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net)
	by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30)
	id 1DDl6C-0007Ey-5J
	for nfs@lists.sourceforge.net; Tue, 22 Mar 2005 07:15:16 -0800
Received: from web51605.mail.yahoo.com ([206.190.38.210])
	by sc8-sf-mx1.sourceforge.net with smtp (Exim 4.41)
	id 1DDl68-0004IS-2Z
	for nfs@lists.sourceforge.net; Tue, 22 Mar 2005 07:15:15 -0800
To: Kevin Coffman <kwc@citi.umich.edu>
In-Reply-To: <20050322141813.CC1CE1BBA5@citi.umich.edu>
Sender: nfs-admin@lists.sourceforge.net
Errors-To: nfs-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/nfs>,
	<mailto:nfs-request@lists.sourceforge.net?subject=unsubscribe>
List-Id: Discussion of NFS under Linux development,
	interoperability,
	and testing. <nfs.lists.sourceforge.net>
List-Post: <mailto:nfs@lists.sourceforge.net>
List-Help: <mailto:nfs-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/nfs>,
	<mailto:nfs-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=nfs>

Hi Kevin ,

     As you told , kerberos library does reverse
     lookup to get hostname to determine the
     principal it needs ticket for.
     I followed the steps as mentioned in my previous
     mail so that i can access nfs using same ip on
     system2 if system1 crashes.
     while mounting i used NFS.domainname(entry
     i added to DNS : NFS.domainname <virtual_ip>)
     As key for NFS.domainname is present on nfs
     server shouldn't mount be successful?
     
      But this is not the case.
      Messages on server(vcslinux6)
      
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
gss_accept_sec_context failed
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: ERROR:
GSS-API: error in handle_nullreq:
gss_accept_sec_context(): Miscellaneous failure -
Wrong principal in request
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
failed to write message
Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
session opened for user root by (uid=0)


    Messsages on client (vcslinux5)

[root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
rpc.gssd[4117]: WARNING: Failed to create krb5 context
for user with uid 0 with any credentials cache for
server vcsnfs.vxindia.veritas.com

   Message on KDC(vcslinux1)

Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for krbtgt/VXINDIA.VERITAS.COM@VXINDIA.VERITAS.COM
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM

  
 
thanks,
 --kiran



    
--- Kevin Coffman <kwc@citi.umich.edu> wrote:

> I'm happy to hear the normal case is working.
> 
> The Kerberos library code does a reverse lookup of
> the host it is 
> trying to connect to in order to obtain the "real"
> host name.  It uses 
> that name to determine what principal it needs a
> ticket for.  It would 
> help to see the exact messages from rpc.gssd,
> rpc.svcgssd, and from the 
> KDC.
> 
> 
> > Hi Kevin , 
> >     God knows how , but everyting is working fine
> now.
> >     I could not figure out why was it failing
> earlier.
> >     
> >     I have one question.
> >     Is is possible to use common ip to access 
> >     machines when kerberos is running .i:e
> >     I want to access system1 with an ip say IP.
> >     when system1 crashes , i want to start
> services
> >     of system1 on system2 but want to access
> system2
> >     with same IP.
> > 
> >      what is tried was
> >      create keys (on machine running KDC) for
> >      for all machines in my subnet.
> >      
> >      After this take an ip and register it with
> DNS 
> >      with some name say NFS.domain.
> >      Create key (on machine running kdc) for
> > NFS.domain
> >      For machines those which will run nfs server
> , 
> >      ktadd respective machine key + ktadd
> NFS.domain
> >      key and copy keytab file to respective
> machines.
> >      For all other machines just ktadd respective 
> >      machine key and copy keytab file to
> respective 
> >      machines.
> >      In short , 
> >      on machine running nfs server,
> >      #klist -k /etc/krb5.keytab
> >       2 nfs/<hostname.domainname>@<realm>
> >       2 nfs/NFS.domainname@<realm>
> > 
> >      for other machines(nfs clients)
> >      #klist -k /etc/krb5.keytab
> >       2 nfs/<hostname.domainname>@<realm>
> >      
> >      but when i try to mount exported filesystems
> >      from nfs client , 
> >      using 
> >      #mount -t nfs4 -osec=krb5 NFS.doaminname:/
> /share
> > 
> >       Failed to create krb5 context for user with
> uid
> > 0
> >       with any credential cache for server 
> >       NFS.domainname 
> >  
> >       Everything works well if genuine server name
> is 
> >       used for mounting.Problem arises only when
> >       (virtual ip) NFS.domainname is used.
> > 
> >    thanks,
> >  --kiran
> >      
> > 
> > 
> > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > 
> > > Missed one thing.
> > >  I used kadmin.local to create principals(on
> machine
> > > runnnig KDC)
> > > 
> > > thanks,
> > >  --kiran
> > > --- mehta kiran <kiranmehta1981@yahoo.com>
> wrote:
> > > > Hi Kevin , 
> > > >     I created new database and new principal
> and 
> > > >     keytab files.
> > > > 
> > > >     Kinit does not accept passowrd for
> principals
> > > >     nfs/vcslinux5.vxindia.veritas.com
> > > >     and
> > > >     nfs/vcslinux6.vxindia.veritas.com
> > > > 
> > > >     Please let me know if i can provide some
> > > > info(and
> > > > how) (logs) which can point out the problem
> > > > 
> > > > thanks,
> > > >  --kiran
> > > > 
> > > > 
> > > > 
> > > > 
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > > 
> > > > > > Hi , 
> > > > > >              I tried things as directed by
> > > Trond
> > > > > in
> > > > > >     his previous mail and everything
> seemed to
> > > > > work
> > > > > >     fine initally. but when i rebooted
> system
> > > , 
> > > > > >     it started giving error whenever i
> start
> > > > > rpc.gssd
> > > > > >     on client machine.
> > > > > >     Error is :
> > > > > > 
> > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27
> vcslinux6
> > > > > > rpc.gssd[3487]: WARNING: Key table entry
> not
> > > > found
> > > > > > while getting initial ticket for principal
> > > > > >
> > > > >
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > > ERROR:
> > > > > No
> > > > > > usable machine credentials obtained
> > > > > >   
> > > > > >      
> > > > > > while #klist -k /etc/krb5.keytab gives
> > > > > > 2
> > > > > >
> > > > >
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > 
> > > > > 
> > > > > I'm confused by this, but I do not know what
> to
> > > > look
> > > > > for.
> > > > > 
> > > > > 
> > > > > > I even tried by recreating kerberos
> database
> > > but
> > > > > in
> > > > > > vain. I still get the same error.
> > > > > 
> > > > > If you recreated the Kerberos database, you
> need
> > > > to
> > > > > create new principals and keytab files.  Did
> you
> > > > do
> > > > > this?
> > > > > 
> > > > > > I observed one more thing.
> > > > > > Whenver i create principal(other then
> > > > root/admin)
> > > > > ,
> > > > > > passwords i enter for them during their
> > > creation
> > > > > > are not accepted by kinit.
> > > > > 
> > > > > This is also strange and _might_ be related.
> 
> > > How
> > > > > are
> > > > > you creating the principals -- using kadmin
> or
> > > > > kadmin.local?
> > > > > Which principals are you referring to here?
> > > > > 
> > > > > > 
> > > > > > Please let me know where i went wrong.
> > > > > > 
> > > > > > --thanks,
> > > > > >  --kiran
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs