Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NFSv4 krb5 and no credentials error
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ismell
n00b
n00b


Joined: 31 Jan 2007
Posts: 8
Location: Colorado

PostPosted: Sat Feb 04, 2012 12:17 am    Post subject: NFSv4 krb5 and no credentials error Reply with quote

Hello,
I'm trying to get NFSv4 to play nice with krb5.

I have krb installed and configured correctly (I think?).

I can do a kinit as root and I get back the following

Code:


devbox linux # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: devbox$@AD.ISMELL.ORG

Valid starting     Expires            Service principal
02/03/12 16:12:15  02/04/12 02:12:10  krbtgt/AD.ISMELL.ORG@AD.ISMELL.ORG
        renew until 02/04/12 02:12:15
02/03/12 16:12:13  02/04/12 02:12:10  ldap/oracle.ad.ismell.org@AD.ISMELL.ORG
        renew until 02/04/12 02:12:15


I have the following keytab

Code:

devbox linux # klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 devbox$@AD.ISMELL.ORG (des-cbc-crc)
   2 devbox$@AD.ISMELL.ORG (des-cbc-md5)
   2 devbox$@AD.ISMELL.ORG (arcfour-hmac)
   2 devbox$@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 devbox$@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)


The problem happens when i try and mount an nfs share.

I get the following:

Code:

devbox linux # mount.nfs4 staypuft:/volumes/storage/iso /tmp/iso -o sec=krb5 -vvv
mount.nfs4: timeout set for Fri Feb  3 17:16:10 2012
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.254,clientaddr=10.0.0.105'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting staypuft:/volumes/storage/iso



When looking at the logs I see this

Code:

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c
Feb  3 17:10:16 devbox rpc.gssd[13207]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)
Feb  3 17:10:16 devbox rpc.gssd[13207]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Feb  3 17:10:16 devbox rpc.gssd[13207]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)
Feb  3 17:10:16 devbox rpc.gssd[13207]: process_krb5_upcall: service is '<null>'
Feb  3 17:10:16 devbox rpc.gssd[13207]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'
Feb  3 17:10:16 devbox rpc.gssd[13207]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'
Feb  3 17:10:16 devbox rpc.gssd[13207]: Success getting keytab entry for 'root/devbox.ad.ismell.org@AD.ISMELL.ORG'
Feb  3 17:10:16 devbox rpc.gssd[13207]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'root/devbox.ad.ismell.org@AD.ISMELL.ORG' using keytab 'WRFILE:/etc/krb5.keytab'
Feb  3 17:10:16 devbox rpc.gssd[13207]: ERROR: No credentials found for connection to server staypuft.ad.ismell.org
Feb  3 17:10:16 devbox rpc.gssd[13207]: doing error downcall
Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c
Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c
Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c
Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c
Feb  3 17:10:16 devbox rpc.gssd[13207]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt10


I don't know why I keep getting a no credentials found error. I don't know how else to debug this. If any one has any idea on how to fix this or just some tips on what else I can be trying that would really help.

Thanks,
Raul
Back to top
View user's profile Send private message
ismell
n00b
n00b


Joined: 31 Jan 2007
Posts: 8
Location: Colorado

PostPosted: Sat Feb 04, 2012 7:43 pm    Post subject: Reply with quote

So I updated to nfs-utils 1.2.5 and changed my keytab like so.

Code:
devbox nfs-utils-1.2.3 # klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 DEVBOX$@AD.ISMELL.ORG (des-cbc-crc)
   2 DEVBOX$@AD.ISMELL.ORG (des-cbc-md5)
   2 DEVBOX$@AD.ISMELL.ORG (arcfour-hmac)
   2 DEVBOX$@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 DEVBOX$@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)
   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)


* I made the computer name capital.

Now I get this in my logs

Code:
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c
Feb  4 12:41:08 devbox rpc.gssd[13014]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15)
Feb  4 12:41:08 devbox rpc.gssd[13014]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Feb  4 12:41:08 devbox rpc.gssd[13014]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15)
Feb  4 12:41:08 devbox rpc.gssd[13014]: process_krb5_upcall: service is '<null>'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Success getting keytab entry for 'DEVBOX$@AD.ISMELL.ORG'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Successfully obtained machine credentials for principal 'DEVBOX$@AD.ISMELL.ORG' stored in ccache 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG'
Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464
Feb  4 12:41:08 devbox rpc.gssd[13014]: using FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG as credentials cache for machine creds
Feb  4 12:41:08 devbox rpc.gssd[13014]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context using fsuid 0 (save_uid 0)
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating tcp client for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: DEBUG: port already set to 2049
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'
Feb  4 12:41:08 devbox rpc.gssd[13014]: Success getting keytab entry for 'DEVBOX$@AD.ISMELL.ORG'
Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464
Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464
Feb  4 12:41:08 devbox rpc.gssd[13014]: using FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG as credentials cache for machine creds
Feb  4 12:41:08 devbox rpc.gssd[13014]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context using fsuid 0 (save_uid 0)
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating tcp client for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: DEBUG: port already set to 2049
Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with any credentials cache for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: doing error downcall
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c
Feb  4 12:41:08 devbox rpc.gssd[13014]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt15



This being the relevant part
Code:

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org
Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with any credentials cache for server staypuft.ad.ismell.org


It says it's creating context with nfs@staypuft.ad.ismell.org. Is that correct ? Shoulen't it be creating a context with nfs/staypuft.ad.ismell.org@AD.ISMELL.ORG ?

Is this a bug in nfs-utils ?

Thanks,
Raul
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum