From: mehta kiran <kiranmehta1981@yahoo.com>
Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option
Date: Thu, 17 Mar 2005 04:56:53 -0800 (PST)
Message-ID: <20050317125653.70513.qmail@web51608.mail.yahoo.com>
References: <38c3c48605031704277fd7e83c@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Kevin Coffman <kwc@citi.umich.edu>, nfs@lists.sourceforge.net
Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net)
	by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30)
	id 1DBuYd-0003BN-Nt
	for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 04:56:59 -0800
Received: from web51608.mail.yahoo.com ([206.190.38.213])
	by sc8-sf-mx1.sourceforge.net with smtp (Exim 4.41)
	id 1DBuYc-0008FX-W0
	for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 04:56:59 -0800
To: Suresh Jayaram <sureshjayaram@gmail.com>
In-Reply-To: <38c3c48605031704277fd7e83c@mail.gmail.com>
Sender: nfs-admin@lists.sourceforge.net
Errors-To: nfs-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/nfs>,
	<mailto:nfs-request@lists.sourceforge.net?subject=unsubscribe>
List-Id: Discussion of NFS under Linux development,
	interoperability,
	and testing. <nfs.lists.sourceforge.net>
List-Post: <mailto:nfs@lists.sourceforge.net>
List-Help: <mailto:nfs-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/nfs>,
	<mailto:nfs-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=nfs>

one more thing.

On machine running kdc , 

   entry for vcslinux5 is with kvno 3
   while entry for vcslinux5 on vcslinux5 is with kvno
   2 . Is this making a difference

thanks,
 --kiran



--- Suresh Jayaram <sureshjayaram@gmail.com> wrote:

> Hi Kiran,
> 
> Try running rpc.gssd -f -vvv (really verbose and
> foreground) and
> rpc.svcgssd -vvv -f
> and see why it is failing. I has similar problems
> with NFSv4, before
> updating all my packages (currently available in
> CITI website).
> 
> Possibly the path of libgssapi_krb5.so may not be
> proper. Check your
> /etc/gssapi_mech.conf
> 
> Basically after installation of all packages, you
> need to create 2
> principals in kdc server; one for server and one for
> client and
> extract them appropriately.
> Make sure all three machines are in Timesync and
> hostname of them are
> resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> and rpc.nfsd in
> server and rpc.idmapd and rpc.gssd in client.
> 
> HTH
> Suresh
> 
> 
> On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> kiran
> <kiranmehta1981@yahoo.com> wrote:
> > Hi kevin ,
> > I am using RHEL4 GA.
> > kernel : 2.6.9-5.EL
> > nfs-utils : nfs-utils-1.0.6-46
> > 
> > As per what you told , i have added entries on
> both
> > client and server.
> > 
> > *client:vcslinux6#klist -k /etc/krb5.keytab
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *server:vcslinux5#klist -k /etc/krb5.keytab
> > 
> > 2
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > 
> > 2 root/admin@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 3
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > I inserted rpcsec_gss_krb5 module on all machines.
> > started krb5kdc and kadmind.
> > started all nfs daemons  , rpc.svcgssd ,
> rpc.idmapd on
> > server and exported filesystem with proper
> options.
> > 
> > started rpc.idmapd on client(vcslinux6).
> > But when i run #rpc.gssd -m -v -f
> > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> upcall
> > timed out.
> > Mar 17 11:13:03 vcslinux6 kernel: Please check
> user
> > daemon is running!
> > 
> > in log file:
> > Using keytab file '/etc/krb5.keytab'
> > WARNING: Decrypt integrity check failed while
> getting
> > initial ticket for principal
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > ERROR: No usable machine credentials obtained
> > processing client list
> > 
> > -------
> > Then i tried making kvno for vcslinux5 (on kdc) =
> 2
> > i could not.
> > [root@vcslinux1 ~]# kadmin
> > Authenticating as principal
> > root/admin@VXINDIA.VERITAS.COM with password.
> > Password for root/admin@VXINDIA.VERITAS.COM:
> > kadmin:  modprinc -kvno 2
> > nfs/vcslinux5.vxindia.veritas.com
> > Principal
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > modified.
> > kadmin:  ktadd -e des-cbc-crc:normal -k
> /tmp/keytab
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > Entry for principal
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > with kvno 3, encryption type DES cbc mode with
> CRC-32
> > added to keytab WRFILE:/tmp/keytab.
> > 
> > Please let me know where i went wrong .
> > 
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > Also, "failed reading uid from krb5 upcall" and
> > > "Failed to write error
> > > downcall" should not normally happen.  What
> versions
> > > of kernel and
> > > nfs-utils do you have?
> > >
> > >
> > > > > Error in log file on mount
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > WARNING:
> > > > > failed reading uid from krb5 upcall pipe:
> > > Success
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING: Key
> > > > > table entry not found while getting initial
> > > ticket for
> > > > > principal
> > > > >
> > >
> >
>
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> ERROR:
> > > No
> > > > > usable machine credentials obtained
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING:
> > > > > Failed to obtain machine credentials for
> > > connection to
> > > > > server vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > WARNING:
> > > > > Failed to create krb5 context for user with
> uid
> > > 0 with
> > > > > any credentials cache for server
> > > > > vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> Failed
> > > to
> > > > > write error downcall!
> > > > >
> > > > > thanks,
> > > > >  --kiran
> > >
> > >
> > >
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn
> more.
> > http://info.mail.yahoo.com/mail_250
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs