NFSv4 + Kerberos + users
Kevin Coffman
kwc at citi.umich.edu
Thu Jun 7 08:55:10 EDT 2007
Sorry for the delay. The error "(minor) Unknown code krb5 32" is
"Decrypt integrity check failed", which normally means the wrong
password (or wrong key) was used.
I thought all the 64-bit issues had already been fixed. Which version
of librpcsecgss do you have? I'll try to get on our ia64 machine to
reproduce the segfault.
K.C.
On 6/6/07, Zoltan Menyhart <Zoltan.Menyhart at bull.net> wrote:
> > The rpc.gssd code in the recently released nfs-utils-1.1.0 has a new
> > option (-n) to allow you to use principals other than nfs/<fqdn>@REALM
> > for the mount. Our web page was updated yesterday to reference that
> > release. Let me know if you have further questions about that.
>
> I compiled / installed nfs-utils-1.1.0 using and libgssapi-0.11 on
> Redhat AS4 ia64 with the gcc 3.4.6, the kernel is replaced with
> linux-2.6.19-rc6 + linux-2.6.19-rc6-CITI_NFS4_ALL-1.diff
> (on both the client / server sides)
>
> I did a kinit as root, the telnet -a ... works.
> I started up gssd as a daemon: "rpc.gssd -m -vvv -rrr -n".
> I've got in my fstab on the client machine:
>
> lucy2_10g:/ /imports nfs4 sec=krb5,rw,nodev,sync,proto=tcp,retry=10,rsize=32768,wsize=32768,hard,intr 0 0
>
> I issue: "mount /imports". (This is what worked with using nfs-utils-1.0.11 +
> nfs-utils-1.0.11-CITI_NFS4_ALL-1.diff.)
>
> Now using nfs-utils-1.1.0, in most of the cases gssd crashes, sometimes it refuses
> the access: "mount.nfs4: Permission denied".
>
> When gssd survives, I got this in the /var/log/messages:
>
> ...rpc.gssd[14385]:
> beginning poll
> handling krb5 upcall
> getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
> CC file 'krb5cc_0' being considered
> CC file 'krb5cc_0' matches owner check and has mtime of 1180944814
> using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
> using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server lucy2_10g.frec.bull.fr
> creating context with server nfs at lucy2_10g.frec.bull.fr
> rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32
> WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
> WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
> doing error downcall
> destroying client clnt76
> handling krb5 upcall
> getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
> CC file 'krb5cc_0' being considered
> CC file 'krb5cc_0' matches owner check and has mtime of 1181132577
> using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
> using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server lucy2_10g.frec.bull.fr
> WARNING: can't create tcp rpc_clnt for server lucy2_10g.frec.bull.fr for user with uid 0: RPC: Authentication error
> WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
> doing error downcall
> destroying client clnt77
>
> Curiously, executing gssd in foreground as "rpc.gssd -m -vvv -rrr -n -f",
> does not produce a core dump on crash (I've got "ulimit -c" 1000000).
> Executing it under gdb:
>
> (gdb) run -m -vvv -rrr -n -f
> Starting program: /home/nfsv4/nfs-utils-1.1.0/utils/gssd/gssd -m -vvv -rrr -n -f
> Reading symbols from shared object read from target memory...done.
> Loaded system supplied DSO at 0xa000000000000000
> beginning poll
>
> Program received signal SIG37, Real-time event 37.
> 0xa000000000010641 in __kernel_syscall_via_break ()
> (gdb) c
> Continuing.
> handling krb5 upcall
> getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
> CC file 'krb5cc_machine_FREC.BULL.FR' being considered
> CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181134859
> using FILE:/tmp/krb5cc_machine_FREC.BULL.FR as credentials cache for client with
> uid 0 for server lucy2_10g.frec.bull.fr
> using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_FREC.BULL.FR
> creating context using fsuid 0 (save_uid 0)
> creating tcp client for server lucy2_10g.frec.bull.fr
> creating context with server nfs at lucy2_10g.frec.bull.fr
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x20000000004ab7b0 in xdr_accepted_reply_internal () from /lib/tls/libc.so.6.1
>
> (gdb) bt
> #0 0x20000000004ab7b0 in xdr_accepted_reply_internal ()
> from /lib/tls/libc.so.6.1
> #1 0x20000000004b4d00 in xdr_union_internal () from /lib/tls/libc.so.6.1
> #2 0x20000000004ab9d0 in xdr_replymsg_internal () from /lib/tls/libc.so.6.1
> #3 0x20000000000855e0 in clnttcp_call (h=0x6000000000021e30, proc=Variable "proc" is not available.)
> at clnt_tcp.c:293
> #4 0x2000000000078060 in authgss_refresh (auth=0x6000000000033c00)
> at auth_gss.c:516
> #5 0x2000000000078af0 in authgss_create (clnt=0x6000000000021e30,
> name=0x6000000000033c60, sec=0x600ffffffd5deee8) at auth_gss.c:220
> #6 0x2000000000078cc0 in authgss_create_default (clnt=0x6000000000021e30,
> service=0x6000000000021d50 "nfs at lucy2_10g.frec.bull.fr",
> sec=0x600ffffffd5deee0) at auth_gss.c:253
> #7 0x4000000000008110 in create_auth_rpc_client (clp=0x60000000000217a0,
> clnt_return=0x600ffffffd5df3c8, auth_return=0x600ffffffd5df3d0, uid=0,
> authtype=Variable "authtype" is not available.) at gssd_proc.c:629
> #8 0x4000000000008670 in handle_krb5_upcall (clp=0x60000000000217a0)
> at gssd_proc.c:696
> #9 0x40000000000057f0 in gssd_run () at gssd_main_loop.c:76
> #10 0x40000000000050c0 in main (argc=6, argv=0x600ffffffd5df708) at gssd.c:168
>
> Have I got all the required libs?
>
> ldd gssd:
> linux-gate.so.1 => (0xa000000000000000)
> librpcsecgss.so.1 => /usr/lib/librpcsecgss.so.1 (0x2000000000070000)
> libgssapi.so.2 => /usr/lib/libgssapi.so.2 (0x20000000000a0000)
> libdl.so.2 => /lib/libdl.so.2 (0x20000000000c0000)
> libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x20000000000e0000)
> libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x2000000000120000)
> libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x2000000000210000)
> libcom_err.so.2 => /lib/libcom_err.so.2 (0x2000000000260000)
> libresolv.so.2 => /lib/libresolv.so.2 (0x2000000000280000)
> libc.so.6.1 => /lib/tls/libc.so.6.1 (0x20000000002c0000)
> /lib/ld-linux-ia64.so.2 (0x2000000000000000)
>
> Thanks,
>
> Zoltan
>
>
More information about the NFSv4
mailing list