From: mehta kiran Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Thu, 17 Mar 2005 04:56:53 -0800 (PST) Message-ID: <20050317125653.70513.qmail@web51608.mail.yahoo.com> References: <38c3c48605031704277fd7e83c@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Kevin Coffman , nfs@lists.sourceforge.net Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DBuYd-0003BN-Nt for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 04:56:59 -0800 Received: from web51608.mail.yahoo.com ([206.190.38.213]) by sc8-sf-mx1.sourceforge.net with smtp (Exim 4.41) id 1DBuYc-0008FX-W0 for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 04:56:59 -0800 To: Suresh Jayaram In-Reply-To: <38c3c48605031704277fd7e83c@mail.gmail.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: one more thing. On machine running kdc , entry for vcslinux5 is with kvno 3 while entry for vcslinux5 on vcslinux5 is with kvno 2 . Is this making a difference thanks, --kiran --- Suresh Jayaram wrote: > Hi Kiran, > > Try running rpc.gssd -f -vvv (really verbose and > foreground) and > rpc.svcgssd -vvv -f > and see why it is failing. I has similar problems > with NFSv4, before > updating all my packages (currently available in > CITI website). > > Possibly the path of libgssapi_krb5.so may not be > proper. Check your > /etc/gssapi_mech.conf > > Basically after installation of all packages, you > need to create 2 > principals in kdc server; one for server and one for > client and > extract them appropriately. > Make sure all three machines are in Timesync and > hostname of them are > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd > and rpc.nfsd in > server and rpc.idmapd and rpc.gssd in client. > > HTH > Suresh > > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta > kiran > wrote: > > Hi kevin , > > I am using RHEL4 GA. > > kernel : 2.6.9-5.EL > > nfs-utils : nfs-utils-1.0.6-46 > > > > As per what you told , i have added entries on > both > > client and server. > > > > *client:vcslinux6#klist -k /etc/krb5.keytab > > 2 > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > *server:vcslinux5#klist -k /etc/krb5.keytab > > > > 2 > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab > > > > 2 root/admin@VXINDIA.VERITAS.COM > > 2 > > > nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > > 3 > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > 2 > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > I inserted rpcsec_gss_krb5 module on all machines. > > started krb5kdc and kadmind. > > started all nfs daemons , rpc.svcgssd , > rpc.idmapd on > > server and exported filesystem with proper > options. > > > > started rpc.idmapd on client(vcslinux6). > > But when i run #rpc.gssd -m -v -f > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS > upcall > > timed out. > > Mar 17 11:13:03 vcslinux6 kernel: Please check > user > > daemon is running! > > > > in log file: > > Using keytab file '/etc/krb5.keytab' > > WARNING: Decrypt integrity check failed while > getting > > initial ticket for principal > > > 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > from keytab 'FILE:/etc/krb5.keytab' > > ERROR: No usable machine credentials obtained > > processing client list > > > > ------- > > Then i tried making kvno for vcslinux5 (on kdc) = > 2 > > i could not. > > [root@vcslinux1 ~]# kadmin > > Authenticating as principal > > root/admin@VXINDIA.VERITAS.COM with password. > > Password for root/admin@VXINDIA.VERITAS.COM: > > kadmin: modprinc -kvno 2 > > nfs/vcslinux5.vxindia.veritas.com > > Principal > > > "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM" > > modified. > > kadmin: ktadd -e des-cbc-crc:normal -k > /tmp/keytab > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > Entry for principal > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > with kvno 3, encryption type DES cbc mode with > CRC-32 > > added to keytab WRFILE:/tmp/keytab. > > > > Please let me know where i went wrong . > > > > --- Kevin Coffman wrote: > > > Also, "failed reading uid from krb5 upcall" and > > > "Failed to write error > > > downcall" should not normally happen. What > versions > > > of kernel and > > > nfs-utils do you have? > > > > > > > > > > > Error in log file on mount > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: > > > WARNING: > > > > > failed reading uid from krb5 upcall pipe: > > > Success > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > > > WARNING: Key > > > > > table entry not found while getting initial > > > ticket for > > > > > principal > > > > > > > > > > > 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > > > from keytab 'FILE:/etc/krb5.keytab' > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > ERROR: > > > No > > > > > usable machine credentials obtained > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > > > WARNING: > > > > > Failed to obtain machine credentials for > > > connection to > > > > > server vcslinux1.vxindia.veritas.com > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: > > > WARNING: > > > > > Failed to create krb5 context for user with > uid > > > 0 with > > > > > any credentials cache for server > > > > > vcslinux1.vxindia.veritas.com > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: > Failed > > > to > > > > > write error downcall! > > > > > > > > > > thanks, > > > > > --kiran > > > > > > > > > > > > > > > ------------------------------------------------------- > > > SF email is sponsored by - The IT Product Guide > > > Read honest & candid reviews on hundreds of IT > > > Products from real users. > > > Discover which products truly live up to the > hype. > > > Start reading now. > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > _______________________________________________ > > > NFS maillist - NFS@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Mail - now with 250MB free storage. Learn > more. > > http://info.mail.yahoo.com/mail_250 > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT > Products from real users. > > Discover which products truly live up to the hype. > Start reading now. > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs