From: Kevin Coffman Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Mon, 21 Mar 2005 10:11:11 -0500 Message-ID: <20050321151111.1C2051BB62@citi.umich.edu> References: <20050317125653.70513.qmail@web51608.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: nfs@lists.sourceforge.net Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DDOYo-0004ib-9f for nfs@lists.sourceforge.net; Mon, 21 Mar 2005 07:11:18 -0800 Received: from citi.umich.edu ([141.211.133.111]) by sc8-sf-mx1.sourceforge.net with esmtp (TLSv1:AES256-SHA:256) (Exim 4.41) id 1DDOYk-0002E8-Gy for nfs@lists.sourceforge.net; Mon, 21 Mar 2005 07:11:18 -0800 To: mehta kiran In-reply-to: <20050317125653.70513.qmail@web51608.mail.yahoo.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: Kiran, Sorry, I was away for a few days with bad connectivity. Each time you run the "ktadd" command to create a keytab entry, the key version number (kvno) for that principal is updated. You cannot simply modify the kvno for a principal because the kvno is associated with the key. I'd advise throwing out the keytab on vcslinux5 and create a new keytab for that principal. P.S. Here is what the ktadd command does: - It generates a new random key value for the principal (with a new key version) - It puts this new key into the Kerberos DB, replacing any previous key with a lower kvno - It puts this new key into the keytab file that was specified Therefore, each time you run ktadd, the old keytab entry becomes obsolete. > one more thing. > > On machine running kdc , > > entry for vcslinux5 is with kvno 3 > while entry for vcslinux5 on vcslinux5 is with kvno > 2 . Is this making a difference > > thanks, > --kiran > > > > --- Suresh Jayaram wrote: > > > Hi Kiran, > > > > Try running rpc.gssd -f -vvv (really verbose and > > foreground) and > > rpc.svcgssd -vvv -f > > and see why it is failing. I has similar problems > > with NFSv4, before > > updating all my packages (currently available in > > CITI website). > > > > Possibly the path of libgssapi_krb5.so may not be > > proper. Check your > > /etc/gssapi_mech.conf > > > > Basically after installation of all packages, you > > need to create 2 > > principals in kdc server; one for server and one for > > client and > > extract them appropriately. > > Make sure all three machines are in Timesync and > > hostname of them are > > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd > > and rpc.nfsd in > > server and rpc.idmapd and rpc.gssd in client. > > > > HTH > > Suresh > > > > > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta > > kiran > > wrote: > > > Hi kevin , > > > I am using RHEL4 GA. > > > kernel : 2.6.9-5.EL > > > nfs-utils : nfs-utils-1.0.6-46 > > > > > > As per what you told , i have added entries on > > both > > > client and server. > > > > > > *client:vcslinux6#klist -k /etc/krb5.keytab > > > 2 > > > > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > *server:vcslinux5#klist -k /etc/krb5.keytab > > > > > > 2 > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab > > > > > > 2 root/admin@VXINDIA.VERITAS.COM > > > 2 > > > > > > nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > 3 > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > 2 > > > > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > I inserted rpcsec_gss_krb5 module on all machines. > > > started krb5kdc and kadmind. > > > started all nfs daemons , rpc.svcgssd , > > rpc.idmapd on > > > server and exported filesystem with proper > > options. > > > > > > started rpc.idmapd on client(vcslinux6). > > > But when i run #rpc.gssd -m -v -f > > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS > > upcall > > > timed out. > > > Mar 17 11:13:03 vcslinux6 kernel: Please check > > user > > > daemon is running! > > > > > > in log file: > > > Using keytab file '/etc/krb5.keytab' > > > WARNING: Decrypt integrity check failed while > > getting > > > initial ticket for principal > > > > > > 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > from keytab 'FILE:/etc/krb5.keytab' > > > ERROR: No usable machine credentials obtained > > > processing client list > > > > > > ------- > > > Then i tried making kvno for vcslinux5 (on kdc) = > > 2 > > > i could not. > > > [root@vcslinux1 ~]# kadmin > > > Authenticating as principal > > > root/admin@VXINDIA.VERITAS.COM with password. > > > Password for root/admin@VXINDIA.VERITAS.COM: > > > kadmin: modprinc -kvno 2 > > > nfs/vcslinux5.vxindia.veritas.com > > > Principal > > > > > > "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM" > > > modified. > > > kadmin: ktadd -e des-cbc-crc:normal -k > > /tmp/keytab > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > Entry for principal > > > > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > with kvno 3, encryption type DES cbc mode with > > CRC-32 > > > added to keytab WRFILE:/tmp/keytab. > > > > > > Please let me know where i went wrong . > > > > > > --- Kevin Coffman wrote: > > > > Also, "failed reading uid from krb5 upcall" and > > > > "Failed to write error > > > > downcall" should not normally happen. What > > versions > > > > of kernel and > > > > nfs-utils do you have? > > > > > > > > > > > > > > Error in log file on mount > > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: > > > > WARNING: > > > > > > failed reading uid from krb5 upcall pipe: > > > > Success > > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > > > > WARNING: Key > > > > > > table entry not found while getting initial > > > > ticket for > > > > > > principal > > > > > > > > > > > > > > > > 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > > > > from keytab 'FILE:/etc/krb5.keytab' > > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > > ERROR: > > > > No > > > > > > usable machine credentials obtained > > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: > > > > WARNING: > > > > > > Failed to obtain machine credentials for > > > > connection to > > > > > > server vcslinux1.vxindia.veritas.com > > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: > > > > WARNING: > > > > > > Failed to create krb5 context for user with > > uid > > > > 0 with > > > > > > any credentials cache for server > > > > > > vcslinux1.vxindia.veritas.com > > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: > > Failed > > > > to > > > > > > write error downcall! > > > > > > > > > > > > thanks, > > > > > > --kiran > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > SF email is sponsored by - The IT Product Guide > > > > Read honest & candid reviews on hundreds of IT > > > > Products from real users. > > > > Discover which products truly live up to the > > hype. > > > > Start reading now. > > > > > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > > _______________________________________________ > > > > NFS maillist - NFS@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail - now with 250MB free storage. Learn > > more. > > > http://info.mail.yahoo.com/mail_250 > > > > > > > > > > > > ------------------------------------------------------- > > > SF email is sponsored by - The IT Product Guide > > > Read honest & candid reviews on hundreds of IT > > Products from real users. > > > Discover which products truly live up to the hype. > > Start reading now. > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > === message truncated === > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > NFS maillist - NFS@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfs ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs