RPC: AUTH_GSS upcall timed out -- out of ideas

Andri aoeuid at gmail.com
Sat Oct 14 07:36:45 EDT 2006 

Got a bit clearer view now thanks to this description:
http://www.citi.umich.edu/projects/nfsv4/gssd/

I've changed the client's FQDN to 'client.realm', server's FQDN to
'server.realm' and the realm to the REALM to present a clearer view, and
to hide a bit of internal info, as this is a publicly 'google-able' list
:) Realm is the uppercase version of the domainname as well.

Both:
------------------------------------------------------------------------------
# cat /etc/krb5.conf
[libdefaults]
    default_realm = REALM
    kdc_req_checksum_type = 2
    checksum_type = 2
    ccache_type = 1
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
[kdc]
    profile = /etc/krb5kdc/kdc.conf

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/krb5adm.log
    default = FILE:/var/log/krb5lib.log
[realms]
    REALM = {
        kdc = server.realm
        admin_server = server.realm
        default_domain = server.realm
     }
[domain_realm]
        .realm = REALM
        realm = REALM
[login]
    krb4_convert = 0

Server:
------------------------------------------------------------------------------
# rpc.svcgssd -vvvf
entering poll

# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
   3 nfs/server.realm at REALM (DES cbc mode with CRC-32)
   3 host/server.realm at REALM (DES cbc mode with CRC-32)

# cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 88

[realms]
    REALM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        profile = /etc/krb5.conf
        admin_database_name = /var/lib/krb5kdc/kadm5_adb
        admin_database_lockfile = /var/lib/krb5kdc/kadm5_adb.lock
        kdc_ports = 88
        kadmind_port = 749
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des-cbc-crc
        supported_enctypes = des-cbc-crc:normal des:v4
    }

kadmin.local:  listprincs
K/M at REALM
host/server.realm at REALM
host/client.realm at REALM
kadmin/admin at REALM
kadmin/changepw at REALM
kadmin/history at REALM
kadmin/server.realm at REALM
krbtgt/REALM at REALM
nfs/server.realm at REALM
nfs/client.realm at REALM
root/admin at REALM

# cat /etc/exports
/storage       10.0.1.1(ro,async,subtree_check)
/storage       gss/krb5(ro,async,subtree_check)
/storage       gss/krb5i(ro,async,subtree_check)
/storage       gss/krb5p(ro,async,subtree_check)

Client:
------------------------------------------------------------------------------
# rpc.gssd -vvvf
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 'host/client.realm at REALM'
We will NOT use this entry (host/client.realm at REALM)
Processing keytab entry for principal 'nfs/client.realm at REALM'
We will use this entry (nfs/client.realm at REALM)
Using (machine) credentials cache: 'FILE:/tmp/krb5cc_machine_REALM'
WARNING: gssd_obtain_kernel_krb5_info: Unable to open
'/var/lib/nfs/rpc_pipefs/nfs/krb5_info'. Unable to determine Kerberos
encryption types supported by the kernel; using defaults (1,3,2).

# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
   3 host/client.realm at REALM  (DES cbc mode with CRC-32)
   3 nfs/client.realm at REALM  (DES cbc mode with CRC-32)

# mount -t nfs4 -o sec=krb5,ro server.realm:/storage /krb
mount: Connection timed out

# tail -2 /var/log/messages
Oct 14 14:24:00 client RPC: AUTH_GSS upcall timed out.
Oct 14 14:24:00 client Please check user daemon is running!

------------------------------------------------------------------------------
That should be all I could think of. Hopefully this is a 'you forgot to
do command X and misunderstood that' sort of issue, otherwise I might
never get this to work :)


Thanks in advance again!


Andri


Kevin Coffman wrote:
> On 10/13/06, Andri <aoeuid at gmail.com> wrote:
>> Hey!
>>
>> Been wrestling with Kerberos and NFS for the last few days, and haven't
>> been successful yet, so I'm hoping someone with a bit more knowledge
>> could point out the thing I've missed :)
>>
>> Trying to connect a Gentoo machine (client) with a Debian Etch (server,
>> NFS and Kerberos), yet every time I'm greeted with:
>> RPC: AUTH_GSS upcall timed out.
>> Please check user daemon is running!
>> -- in the syslog when trying to mount. NFS without -o sec=krb5 works
>> fine.
>>
>> I don't have prior experience with Kerberos, so I'm not very sure what
>> each service does, as I haven't found that much info on the internals of
>> it all.. yet:
>> Just in case I ran rpc.gssd on both, rpc.svcgssd runs on the server,
>> idmap, and other also, which all get executed by the init.d nfs, krb5
>> scripts.
>> I created both the host/client at REALM and nfs/client at REALM princs, and
>> exported them both to a /etc/krb5.keytab on the client, then added the
>> (host/nfs)/server at REALM and exported them to the server's
>> /etc/krb5.keytab.
>> Kinit seems to work, also starting gssd on the client prints this to the
>> krb5 log files on the server, so I take it that at least something works
>> (if, of course, I'm interpreting it correctly :)):
>> krb5kdc[24413](info): AS_REQ (1 etypes {1}) 10.0.1.1: ISSUE: authtime
>> 1160771109, etypes {rep=1 tkt=1 ses=1}, nfs/client at REALM for
>> krbtgt/REALM at REALM
>>
>> I've tried to follow the few HOWTO-s I've found on the Kerberos and NFS
>> subject, and even found a posting about that upcall failed error that
>> someone was connecting with a missing /etc/hosts entry, but those
>> haven't yet helped me solve the issue, unfortunately.
>>
>> I can see some packets moving: the lats before the FIN packets from the
>> client's side are NFS NULL packets -- the server sends a null reply to a
>> request, but as I'm not familiar with the NFS protocol, don't know if
>> that's important.
>>
>> If it's of any help, I'll add the versions of the packages I could see
>> and find being relevant.
>> Debian Etch (server):
>> nfs-kernel-server/etch uptodate 1:1.0.10-1
>> nfs-common/etch uptodate 1:1.0.10-1
>> libnfsidmap2/etch uptodate 0.17-3
>> libgssapi2/etch uptodate 0.10-3
>> librpcsecgss3/etch uptodate 0.14-2
>>
>> Gentoo (client) has:
>> net-fs/nfs-utils v1.0.10
>> sys-kernel/gentoo-sources v2.6.18 with CONFIG_RPCSEC_GSS_KRB5=y
>> net-libs/librpcsecgss v0.14-r1
>> app-crypt/libgssapi v0.10
>> net-libs/libnfsidmap v0.17
>>
>> Gssd on the client also throws a warning:
>> WARNING: gssd_obtain_kernel_krb5_info: Unable to open
>> '/var/lib/nfs/rpc_pipefs/nfs/krb5_info'. Unable to determine Kerberos
>> encryption types supported by the kernel; using defaults (1,3,2).
>> ..yet reading it on this list says that's not important.
>>
>> Hopefully someone can point out the single thing I've missed that would
>> make everything work as a charm.
>>
>>
>> Thank you in advance!
>>
>>
>> Andri
> 
> Please send the (remaining) info requested here:
> http://www.citi.umich.edu/projects/nfsv4/linux/faq/#kerberos
>

More information about the NFSv4 mailing list