From: mehta kiran Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Thu, 17 Mar 2005 23:43:57 -0800 (PST) Message-ID: <20050318074358.12947.qmail@web51604.mail.yahoo.com> References: <38c3c4860503170547ed9e1fc@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Kevin Coffman , nfs@lists.sourceforge.net Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.12] helo=sc8-sf-mx2.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DCC9O-0008Ub-QX for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 23:44:06 -0800 Received: from web51604.mail.yahoo.com ([206.190.38.209]) by sc8-sf-mx2.sourceforge.net with smtp (Exim 4.41) id 1DCC9N-0007WE-0L for nfs@lists.sourceforge.net; Thu, 17 Mar 2005 23:44:06 -0800 To: Suresh Jayaram In-Reply-To: <38c3c4860503170547ed9e1fc@mail.gmail.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: Hi , I tried with new library. libgssapi-0.2 and librpcsecgss-0.4 got installed in /usr/local/lib. Entry in /etc/gssapi_mech.conf has entry as /usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init Still i get error while starting rpc.gssd [root@vcslinux6 ~]# rpc.gssd -f -vvv Using keytab file '/etc/krb5.keytab' Processing keytab entry for principal 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' We will use this entry (nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM) WARNING: Decrypt integrity check failed while getting initial ticket for principal 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' from keytab 'FILE:/etc/krb5.keytab' ERROR: No usable machine credentials obtained processing client list and while mouting it says: rpc.gssd may not be running... May be i am going wrong in procedure of adding entries in keytab. Steps. On machine runnnig KDC: 1.create database using kbd5_util create -s. 2.using "kadmin.local" interface addprinc root/admin ktadd -e des-cbc-crc:normal -k /tmp/keytab root/admin addprinc nfs/vcslinux5.vxindia.veritas.com ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/vcslinux5.vxindia.veritas.com addprinc nfs/vcslinux6.vxindia.veritas.com ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/vcslinux6.vxindia.veritas.com 3.At the end do cp /tmp/keytab /etc/krb5.keytab. 4.Output of klist -k /etc/krb5.keytab 2 root/admin@VXINDIA.VERITAS.COM 2 nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM 2 nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM Machine running nfs server(vcslinux5) 1.create database using kdb5_util create -s 2. using "kadmin.local" interace create entry for nfs/vcslinux5.vxindia.veritas.com 3.output of klist -k /etc/krb5.keytab 2 nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM Similarly on machine running nfs client(vcslinux6) after making entry using kadmin.local interface for it output of klist -k /etc/krb5.keytab 2 nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM On "all" the machine , /etc/krb.conf has foloowing entries for realms and domain_realms [realms] VXINDIA.VERITAS.COM = { kdc = vcslinux1.vxindia.veritas.com:88 admin_server = vcslinux1.vxindia.veritas.com:749 default_domain = vxindia.veritas.com } [domain_realm] .vxindia.veritas.com = VXINDIA.VERITAS.COM vxindia.veritas.com = VXINDIA.VERITAS.COM Did i go wrong anywhere ? --thanks, --kiran --- Suresh Jayaram wrote: > Hi Kiran, > > Run rpc.gssd also in verbose mode > >>RPC: AUTH_GSS upcall timed out. > This means rpc.gssd is not running. > Check gssapi_mech.conf in client machine also. > Those Warning messages you can ignore.. > > Update your libgssapi and librpcsecgss packages > (libgssapi-0.2 and > librpcsecgss-0.4) > > HTH > Suresh > > > On Thu, 17 Mar 2005 04:56:53 -0800 (PST), mehta > kiran > wrote: > > one more thing. > > > > On machine running kdc , > > > > entry for vcslinux5 is with kvno 3 > > while entry for vcslinux5 on vcslinux5 is with > kvno > > 2 . Is this making a difference > > > > thanks, > > --kiran > > > > --- Suresh Jayaram > wrote: > > > > > Hi Kiran, > > > > > > Try running rpc.gssd -f -vvv (really verbose and > > > foreground) and > > > rpc.svcgssd -vvv -f > > > and see why it is failing. I has similar > problems > > > with NFSv4, before > > > updating all my packages (currently available in > > > CITI website). > > > > > > Possibly the path of libgssapi_krb5.so may not > be > > > proper. Check your > > > /etc/gssapi_mech.conf > > > > > > Basically after installation of all packages, > you > > > need to create 2 > > > principals in kdc server; one for server and one > for > > > client and > > > extract them appropriately. > > > Make sure all three machines are in Timesync and > > > hostname of them are > > > resolvable. Run rpc.mountd, rpc.idmapd, > rpc.svcgssd > > > and rpc.nfsd in > > > server and rpc.idmapd and rpc.gssd in client. > > > > > > HTH > > > Suresh > > > > > > > > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta > > > kiran > > > wrote: > > > > Hi kevin , > > > > I am using RHEL4 GA. > > > > kernel : 2.6.9-5.EL > > > > nfs-utils : nfs-utils-1.0.6-46 > > > > > > > > As per what you told , i have added entries on > > > both > > > > client and server. > > > > > > > > *client:vcslinux6#klist -k /etc/krb5.keytab > > > > 2 > > > > > > > > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > > > *server:vcslinux5#klist -k /etc/krb5.keytab > > > > > > > > 2 > > > > > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab > > > > > > > > 2 root/admin@VXINDIA.VERITAS.COM > > > > 2 > > > > > > > > > > nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > 3 > > > > > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > 2 > > > > > > > > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > > > I inserted rpcsec_gss_krb5 module on all > machines. > > > > started krb5kdc and kadmind. > > > > started all nfs daemons , rpc.svcgssd , > > > rpc.idmapd on > > > > server and exported filesystem with proper > > > options. > > > > > > > > started rpc.idmapd on client(vcslinux6). > > > > But when i run #rpc.gssd -m -v -f > > > > Mar 17 11:13:03 vcslinux6 kernel: RPC: > AUTH_GSS > > > upcall > > > > timed out. > > > > Mar 17 11:13:03 vcslinux6 kernel: Please check > > > user > > > > daemon is running! > > > > > > > > in log file: > > > > Using keytab file '/etc/krb5.keytab' > > > > WARNING: Decrypt integrity check failed while > > > getting > > > > initial ticket for principal > > > > > > > > > > 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > > from keytab 'FILE:/etc/krb5.keytab' > > > > ERROR: No usable machine credentials obtained > > > > processing client list > > > > > > > > ------- > > > > Then i tried making kvno for vcslinux5 (on > kdc) = > > > 2 > > > > i could not. > > > > [root@vcslinux1 ~]# kadmin > > > > Authenticating as principal > > > > root/admin@VXINDIA.VERITAS.COM with password. > > > > Password for root/admin@VXINDIA.VERITAS.COM: > > > > kadmin: modprinc -kvno 2 > > > > nfs/vcslinux5.vxindia.veritas.com > > > > Principal > > > > > > > > > > "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM" > > > > modified. > > > > kadmin: ktadd -e des-cbc-crc:normal -k > > > /tmp/keytab > > > > > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > Entry for principal > > > > > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > with kvno 3, encryption type DES cbc mode with > > > CRC-32 > > > > added to keytab WRFILE:/tmp/keytab. > > > > > > > > Please let me know where i went wrong . > > > > > > > > --- Kevin Coffman wrote: > > > > > Also, "failed reading uid from krb5 upcall" > and > > > > > "Failed to write error > > > > > downcall" should not normally happen. What > > > versions > > > > > of kernel and > > > > > nfs-utils do you have? > > > > > > > > > > > > > > > > > Error in log file on mount > > > > > > > Mar 16 14:58:43 vcslinux5 > rpc.gssd[4258]: > > > > > WARNING: > > > > > > > failed reading uid from krb5 upcall > pipe: > > > > > Success > > > > > > > Mar 16 14:58:43 vcslinux5 > rpc.gssd[4405]: > > > > > WARNING: Key > > > > > > > table entry not found while getting > initial > === message truncated === __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs