NFSv4 + Kerberos + users
Zoltan Menyhart
Zoltan.Menyhart at bull.net
Wed Jun 6 09:38:01 EDT 2007
> The rpc.gssd code in the recently released nfs-utils-1.1.0 has a new
> option (-n) to allow you to use principals other than nfs/<fqdn>@REALM
> for the mount. Our web page was updated yesterday to reference that
> release. Let me know if you have further questions about that.
I compiled / installed nfs-utils-1.1.0 using and libgssapi-0.11 on
Redhat AS4 ia64 with the gcc 3.4.6, the kernel is replaced with
linux-2.6.19-rc6 + linux-2.6.19-rc6-CITI_NFS4_ALL-1.diff
(on both the client / server sides)
I did a kinit as root, the telnet -a ... works.
I started up gssd as a daemon: "rpc.gssd -m -vvv -rrr -n".
I've got in my fstab on the client machine:
lucy2_10g:/ /imports nfs4 sec=krb5,rw,nodev,sync,proto=tcp,retry=10,rsize=32768,wsize=32768,hard,intr 0 0
I issue: "mount /imports". (This is what worked with using nfs-utils-1.0.11 +
nfs-utils-1.0.11-CITI_NFS4_ALL-1.diff.)
Now using nfs-utils-1.1.0, in most of the cases gssd crashes, sometimes it refuses
the access: "mount.nfs4: Permission denied".
When gssd survives, I got this in the /var/log/messages:
...rpc.gssd[14385]:
beginning poll
handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1180944814
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
doing error downcall
destroying client clnt76
handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1181132577
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
WARNING: can't create tcp rpc_clnt for server lucy2_10g.frec.bull.fr for user with uid 0: RPC: Authentication error
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
doing error downcall
destroying client clnt77
Curiously, executing gssd in foreground as "rpc.gssd -m -vvv -rrr -n -f",
does not produce a core dump on crash (I've got "ulimit -c" 1000000).
Executing it under gdb:
(gdb) run -m -vvv -rrr -n -f
Starting program: /home/nfsv4/nfs-utils-1.1.0/utils/gssd/gssd -m -vvv -rrr -n -f
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xa000000000000000
beginning poll
Program received signal SIG37, Real-time event 37.
0xa000000000010641 in __kernel_syscall_via_break ()
(gdb) c
Continuing.
handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181134859
using FILE:/tmp/krb5cc_machine_FREC.BULL.FR as credentials cache for client with
uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_FREC.BULL.FR
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
Program received signal SIGSEGV, Segmentation fault.
0x20000000004ab7b0 in xdr_accepted_reply_internal () from /lib/tls/libc.so.6.1
(gdb) bt
#0 0x20000000004ab7b0 in xdr_accepted_reply_internal ()
from /lib/tls/libc.so.6.1
#1 0x20000000004b4d00 in xdr_union_internal () from /lib/tls/libc.so.6.1
#2 0x20000000004ab9d0 in xdr_replymsg_internal () from /lib/tls/libc.so.6.1
#3 0x20000000000855e0 in clnttcp_call (h=0x6000000000021e30, proc=Variable "proc" is not available.)
at clnt_tcp.c:293
#4 0x2000000000078060 in authgss_refresh (auth=0x6000000000033c00)
at auth_gss.c:516
#5 0x2000000000078af0 in authgss_create (clnt=0x6000000000021e30,
name=0x6000000000033c60, sec=0x600ffffffd5deee8) at auth_gss.c:220
#6 0x2000000000078cc0 in authgss_create_default (clnt=0x6000000000021e30,
service=0x6000000000021d50 "nfs at lucy2_10g.frec.bull.fr",
sec=0x600ffffffd5deee0) at auth_gss.c:253
#7 0x4000000000008110 in create_auth_rpc_client (clp=0x60000000000217a0,
clnt_return=0x600ffffffd5df3c8, auth_return=0x600ffffffd5df3d0, uid=0,
authtype=Variable "authtype" is not available.) at gssd_proc.c:629
#8 0x4000000000008670 in handle_krb5_upcall (clp=0x60000000000217a0)
at gssd_proc.c:696
#9 0x40000000000057f0 in gssd_run () at gssd_main_loop.c:76
#10 0x40000000000050c0 in main (argc=6, argv=0x600ffffffd5df708) at gssd.c:168
Have I got all the required libs?
ldd gssd:
linux-gate.so.1 => (0xa000000000000000)
librpcsecgss.so.1 => /usr/lib/librpcsecgss.so.1 (0x2000000000070000)
libgssapi.so.2 => /usr/lib/libgssapi.so.2 (0x20000000000a0000)
libdl.so.2 => /lib/libdl.so.2 (0x20000000000c0000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x20000000000e0000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x2000000000120000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x2000000000210000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x2000000000260000)
libresolv.so.2 => /lib/libresolv.so.2 (0x2000000000280000)
libc.so.6.1 => /lib/tls/libc.so.6.1 (0x20000000002c0000)
/lib/ld-linux-ia64.so.2 (0x2000000000000000)
Thanks,
Zoltan
More information about the NFSv4
mailing list