Hello everyone,
I am working on trying to get Kerberized NFSv4 working with AD. At this
point everything seems to be setup correctly. The machine has been joined
to AD, the keytab has been updated with the appropriate entries and the
computer account has the appropriate servicePrincipal and userPrincipal
Names. The Kerberized NFS Share resides on a Filer.
When trying to mount the share on the client side I get the following error
messages.
Does anyone understand why we're getting this error? Any help or insight
would be very appreciated.
Thanks!
Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct
29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct 29
20:03:33 dev-unix-shell01 rpc.gssd[3284]: handling krb5 upcall Oct 29
20:03:33 dev-unix-shell01 rpc.gssd[3284]: Using keytab file
'/etc/krb5.keytab'
Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_<DOMAIN>are good until 1193722038 Oct 29 20:03:33
dev-unix-shell01 rpc.gssd[3284]: using FILE:/tmp/krb5cc_machine_<DOMAIN> as
credentials cache for machine creds Oct 29 20:03:33 dev-unix-shell01
rpc.gssd[3284]: using environment variable to select krb5 ccache
FILE:/tmp/krb5cc_machine_<DOMAIN>
Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating context using euid
0 (save_uid 0) Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating tcp
client for server prod-fs-sv1.<domainname>
Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: creating context with
server nfs@prod-fs-sv1.<domain_name>
Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: DEBUG:
serialize_krb5_ctx: lucid version!
Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: doing downcall Oct 29
20:03:34 dev-unix-shell01 rpc.gssd[3284]: processing client list
On 10/30/07, Felderi Santiago <[email protected]> wrote:
> Hello everyone,
>
> I am working on trying to get Kerberized NFSv4 working with AD. At this
> point everything seems to be setup correctly. The machine has been joined
> to AD, the keytab has been updated with the appropriate entries and the
> computer account has the appropriate servicePrincipal and userPrincipal
> Names. The Kerberized NFS Share resides on a Filer.
>
> When trying to mount the share on the client side I get the following error
> messages.
>
> Does anyone understand why we're getting this error? Any help or insight
> would be very appreciated.
>
> Thanks!
>
> Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct
> 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct 29
> 20:03:33 dev-unix-shell01 rpc.gssd[3284]: handling krb5 upcall Oct 29
> 20:03:33 dev-unix-shell01 rpc.gssd[3284]: Using keytab file
> '/etc/krb5.keytab'
> Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_<DOMAIN>are good until 1193722038
> Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> FILE:/tmp/krb5cc_machine_<DOMAIN> as credentials cache for
> machine creds Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_<DOMAIN>
> Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating context using euid
> 0 (save_uid 0) Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating tcp
> client for server prod-fs-sv1.<domainname>
> Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: creating context with
> server nfs@prod-fs-sv1.<domain_name>
> Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: DEBUG:
> serialize_krb5_ctx: lucid version!
> Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: doing downcall Oct 29
> 20:03:34 dev-unix-shell01 rpc.gssd[3284]: processing client list
There is no error message here. This is all normal, apparently
successful, debug output.
What error are you seeing?
BTW, you said, "the keytab has been updated with the appropriate
entries". I'm not sure what this means, but I hope it does not mean
that keys for non-supported enctypes were simply manually removed from
the keytab file using ktutil.
K.C.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
We're not really seeing an error perse but the Kerberized mount is not
working.
Sorry for not being clear. I updated the keytab and included additional
servicePrincipalNames for nfs, so nfs/hostname.domainname.com. I also
changed the UPN of the computer account.
I am testing on:
SUSE SLES 10 SP1 with nfs-utils-1.0.7-36.26
I ran a Network trace and see a Kerberos error which is a step in the right
direction in terms of figuring out what's going on. I used Wireshark and
see the following. Hmmm...wonder what's going on.
134 2.775752 172.17.0.159 172.17.0.44 KRB5 KRB Error:
KRB5KRB_ERR_RESPONSE_TOO_BIG[Packet size limited during capture]
Thanks for the help!
Fel.
On 10/30/07, Kevin Coffman <[email protected]> wrote:
>
> On 10/30/07, Felderi Santiago <[email protected]> wrote:
> > Hello everyone,
> >
> > I am working on trying to get Kerberized NFSv4 working with AD. At this
> > point everything seems to be setup correctly. The machine has been
> joined
> > to AD, the keytab has been updated with the appropriate entries and the
> > computer account has the appropriate servicePrincipal and userPrincipal
> > Names. The Kerberized NFS Share resides on a Filer.
> >
> > When trying to mount the share on the client side I get the following
> error
> > messages.
> >
> > Does anyone understand why we're getting this error? Any help or
> insight
> > would be very appreciated.
> >
> > Thanks!
> >
> > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list
> Oct
> > 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct
> 29
> > 20:03:33 dev-unix-shell01 rpc.gssd[3284]: handling krb5 upcall Oct 29
> > 20:03:33 dev-unix-shell01 rpc.gssd[3284]: Using keytab file
> > '/etc/krb5.keytab'
> > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: INFO: Credentials in CC
> > 'FILE:/tmp/krb5cc_machine_<DOMAIN>are good until 1193722038
> > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> > FILE:/tmp/krb5cc_machine_<DOMAIN> as credentials cache for
> > machine creds Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> > environment variable to select krb5 ccache
> > FILE:/tmp/krb5cc_machine_<DOMAIN>
> > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating context using
> euid
> > 0 (save_uid 0) Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating
> tcp
> > client for server prod-fs-sv1.<domainname>
> > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: creating context with
> > server nfs@prod-fs-sv1.<domain_name>
> > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: DEBUG:
> > serialize_krb5_ctx: lucid version!
> > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: doing downcall Oct 29
> > 20:03:34 dev-unix-shell01 rpc.gssd[3284]: processing client list
>
> There is no error message here. This is all normal, apparently
> successful, debug output.
>
> What error are you seeing?
>
> BTW, you said, "the keytab has been updated with the appropriate
> entries". I'm not sure what this means, but I hope it does not mean
> that keys for non-supported enctypes were simply manually removed from
> the keytab file using ktutil.
>
> K.C.
>
AD is trying to include PAC information in the ticket, which makes the
packets too big for UDP. It should switch to TCP if possible. There
is an option to tell AD not to include PAC information for a given
service principal. I don't recall exactly what it is, or how to set
it.
The client thinks that a context was negotiated, so I think you are
getting past that. Are there error messages on the server? Can you
send me the packet trace?
K.C.
On 10/30/07, Felderi Santiago <[email protected]> wrote:
>
> We're not really seeing an error perse but the Kerberized mount is not
> working.
>
> Sorry for not being clear. I updated the keytab and included additional
> servicePrincipalNames for nfs, so nfs/hostname.domainname.com. I also
> changed the UPN of the computer account.
>
> I am testing on:
>
> SUSE SLES 10 SP1 with nfs-utils-1.0.7-36.26
>
> I ran a Network trace and see a Kerberos error which is a step in the right
> direction in terms of figuring out what's going on. I used Wireshark and
> see the following. Hmmm...wonder what's going on.
>
> 134 2.775752 172.17.0.159 172.17.0.44 KRB5 KRB Error:
> KRB5KRB_ERR_RESPONSE_TOO_BIG[Packet size limited during
> capture]
>
> Thanks for the help!
>
> Fel.
>
>
>
> On 10/30/07, Kevin Coffman <[email protected]> wrote:
> > On 10/30/07, Felderi Santiago <[email protected]> wrote:
> > > Hello everyone,
> > >
> > > I am working on trying to get Kerberized NFSv4 working with AD. At this
> > > point everything seems to be setup correctly. The machine has been
> joined
> > > to AD, the keytab has been updated with the appropriate entries and the
> > > computer account has the appropriate servicePrincipal and userPrincipal
> > > Names. The Kerberized NFS Share resides on a Filer.
> > >
> > > When trying to mount the share on the client side I get the following
> error
> > > messages.
> > >
> > > Does anyone understand why we're getting this error? Any help or
> insight
> > > would be very appreciated.
> > >
> > > Thanks!
> > >
> > > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list
> Oct
> > > 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: processing client list Oct
> 29
> > > 20:03:33 dev-unix-shell01 rpc.gssd[3284]: handling krb5 upcall Oct 29
> > > 20:03:33 dev-unix-shell01 rpc.gssd[3284]: Using keytab file
> > > '/etc/krb5.keytab'
> > > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: INFO: Credentials in CC
> > > 'FILE:/tmp/krb5cc_machine_<DOMAIN>are good until
> 1193722038
> > > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> > > FILE:/tmp/krb5cc_machine_<DOMAIN> as credentials cache
> for
> > > machine creds Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: using
> > > environment variable to select krb5 ccache
> > > FILE:/tmp/krb5cc_machine_<DOMAIN>
> > > Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating context using
> euid
> > > 0 (save_uid 0) Oct 29 20:03:33 dev-unix-shell01 rpc.gssd[3284]: creating
> tcp
> > > client for server prod-fs-sv1.<domainname>
> > > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: creating context with
> > > server nfs@prod-fs-sv1.<domain_name>
> > > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: DEBUG:
> > > serialize_krb5_ctx: lucid version!
> > > Oct 29 20:03:34 dev-unix-shell01 rpc.gssd[3284]: doing downcall Oct 29
> > > 20:03:34 dev-unix-shell01 rpc.gssd[3284]: processing client list
> >
> > There is no error message here. This is all normal, apparently
> > successful, debug output.
> >
> > What error are you seeing?
> >
> > BTW, you said, "the keytab has been updated with the appropriate
> > entries". I'm not sure what this means, but I hope it does not mean
> > that keys for non-supported enctypes were simply manually removed from
> > the keytab file using ktutil.
> >
> > K.C.
> >
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs