NFSv4 + Kerberos + users

Zoltan Menyhart Zoltan.Menyhart at bull.net
Fri Jun 22 05:16:31 EDT 2007 

Kevin Coffman wrote:

> It might be interesting to see what messages svcgssd produced on the
> server for this error.

I re-created the problem:

# su - linux
$ kinit
Password for linux at FREC.BULL.FR:

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: linux at FREC.BULL.FR

Valid starting     Expires            Service principal
06/22/07 10:41:29  06/23/07 10:41:26  krbtgt/FREC.BULL.FR at FREC.BULL.FR

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

$ logout
# kinit
Password for root at FREC.BULL.FR:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at FREC.BULL.FR

Valid starting     Expires            Service principal
06/22/07 10:42:47  06/23/07 10:42:44  krbtgt/FREC.BULL.FR at FREC.BULL.FR

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# mount lucy2_10g:/
mount.nfs4: Permission denied

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at FREC.BULL.FR

Valid starting     Expires            Service principal
06/22/07 10:42:47  06/23/07 10:42:44  krbtgt/FREC.BULL.FR at FREC.BULL.FR
06/22/07 10:42:53  06/23/07 10:42:44  nfs/lucy2_10g.frec.bull.fr at FREC.BULL.FR

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


Repeating the mount command re-creates the error.

Here is what gssd (running in the foreground) says:

handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_500' being considered
'/tmp/krb5cc_500' owned by 500, not 0
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181136512
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1182501767
CC file 'krb5cc_0' is our current best match with mtime of 1182501767
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
doing error downcall


Here is what svcgssd says (from the /var/log/messages, the prefix
"Jun 22 10:42:53 lucy2 rpc.svcgssd[19713]:" removed):

leaving poll
handling null request
readline: read 940 chars into buffer of size 2048: \x \x608201cf06092a864886f71201020201006e8201be308201baa003020105a10302010ea20703050020000000a381fb6181f83081f5a003020105a10e1b0c465245432e42554c4c2e4652a2283026a003020103a11f301d1b036e66731b166c756379325f3130672e667265632e62756c6c2e6672a381b33081b0a003020101a103020105a281a30481a0d5bfdb65a58da872809729909a7c0d0a8b4b5d39b116fad46d8a7b34c04c1460673fd1bf4363510424ff2291880e2d8da2cab85dde370e206570cac7fd9cc17ef5ee567e932ec10282cf15448e78e1abb92...
in_handle:
length 0

in_tok:
length 467

  0000: 6082 01cf 0609 2a86 4886 f712 0102 0201  `.....*.H.......
  0010: 006e 8201 be30 8201 baa0 0302 0105 a103  .n...0..........
  0020: 0201 0ea2 0703 0500 2000 0000 a381 fb61  ........ ......a
  0030: 81f8 3081 f5a0 0302 0105 a10e 1b0c 4652  ..0...........FR
  0040: 4543 2e42 554c 4c2e 4652 a228 3026 a003  EC.BULL.FR.(0&..
  0050: 0201 03a1 1f30 1d1b 036e 6673 1b16 6c75  .....0...nfs..lu
  0060: 6379 325f 3130 672e 6672 6563 2e62 756c  cy2_10g.frec.bul
  0070: 6c2e 6672 a381 b330 81b0 a003 0201 01a1  l.fr...0........
  0080: 0302 0105 a281 a304 81a0 d5bf db65 a58d  .............e..
  0090: a872 8097 2990 9a7c 0d0a 8b4b 5d39 b116  .r..)..|...K]9..
  00a0: fad4 6d8a 7b34 c04c 1460 673f d1bf 4363  ..m.{4.L.`g?..Cc
  00b0: 5104 24ff 2291 880e 2d8d a2ca b85d de37  Q.$."...-....].7
  00c0: 0e20 6570 cac7 fd9c c17e f5ee 567e 932e  . ep.....~..V~..
  00d0: c102 82cf 1544 8e78 e1ab b921 38b7 657b  .....D.x...!8.e{
  00e0: d015 6480 4864 36d5 a7a8 3e50 2120 5df8  ..d.Hd6...>P! ].
  00f0: 1dad 12ab 9c2b dab8 ae84 5283 d77a 55d4  .....+....R..zU.
  0100: 3cb2 8274 78f9 cabd 8d5b a752 2857 5bea  <..tx....[.R(W[.
  0110: 417a 6b0b 283d a4c3 c625 c067 6a32 25e7  Azk.(=...%.gj2%.
  0120: 0967 ed56 88a9 aab1 e6de a481 a630 81a3  .g.V.........0..
  0130: a003 0201 01a2 819b 0481 985e 1327 468d  ...........^.'F.
  0140: a1f6 c2ae 10af 0bf5 e772 f858 c1ec 4ba8  .........r.X..K.
  0150: 0c78 fbf0 0410 ff0d 6d2c cb29 7e55 8175  .x......m,.)~U.u
  0160: e76e b52a 6cae 1264 84d5 ea64 0449 2b38  .n.*l..d...d.I+8
  0170: 9c8d 3372 aeaa 517e ec14 6a5a 761d 796a  ..3r..Q~..jZv.yj
  0180: 2843 34ae 7c6e 57d1 f04f 1427 432f 70cf  (C4.|nW..O.'C/p.
  0190: b2e0 2d0e 22a7 03f9 dd65 2fa5 86d7 67f1  ..-."....e/...g.
  01a0: 919d 4fa5 19ce f50e 9c6e 409b ce5a 572d  ..O......n at ..ZW-
  01b0: 242c 6097 66a9 39d0 ece6 3d8e 9239 63ab  $,`.f.9...=..9c.
  01c0: d575 83fa 2e31 d38e 0a0e 61f2 aca1 bc8f  .u...1....a.....
  01d0: 2350 b5                                  #P.
sname = root at FREC.BULL.FR
nss_getpwnam: name 'root at FREC.BULL.FR' domain '(null)': resulting localname 'root'
nss_getpwnam: name 'root at FREC.BULL.FR' domain '(null)': resulting localname 'root'
serialize_krb5_ctx: serializing keys with enctype 4 and length 8
doing downcall
\x02000000 2147483647 0 0 7 0 1 2 3 4 6 10 krb5 \x000000000000000000000000000000000000000000000000000000000000000004dd7c46ace4ea33090000002a864886f7120102020400000008000000203707431a52a22f0400000008000000d0c7f7b3eaa252df
sending null reply
writing message: \x \x608201cf06092a864886f71201020201006e8201be308201baa003020105a10302010ea20703050020000000a381fb6181f83081f5a003020105a10e1b0c465245432e42554c4c2e4652a2283026a003020103a11f301d1b036e66731b166c756379325f3130672e667265632e62756c6c2e6672a381b33081b0a003020101a103020105a281a30481a0d5bfdb65a58da872809729909a7c0d0a8b4b5d39b116fad46d8a7b34c04c1460673fd1bf4363510424ff2291880e2d8da2cab85dde370e206570cac7fd9cc17ef5ee567e932ec10282cf15448e78e1abb92138b7657bd0156480486436d5a7a83e502...
finished handling null request
entering poll


The /etc/fstab includes:

lucy2_10g:/         /imports        nfs4    sec=krb5,rw,nodev,sync,proto=tcp,retry=10,rsize=32768,wsize=32768,hard,intr 0 0

The /etc/exports:

/export      gss/krb5(sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534)
/export/sdb6 gss/krb5(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534)


In order to break out from this trap, I have to destroy the credentials of linux:

# su - linux
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

$ logout

# mount lucy2_10g:/

Now it vorks:


handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181136512
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1182503308
CC file 'krb5cc_0' is our current best match with mtime of 1182503308
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
serialize_krb5_ctx: serializing keys with enctype 4 and length 8
doing downcall

leaving poll
handling null request
readline: read 940 chars into buffer of size 2048: \x \x608201cf06092a864886f71201020201006e8201be308201baa003020105a10302010ea20703050020000000a381fb6181f83081f5a003020105a10e1b0c465245432e42554c4c2e4652a2283026a003020103a11f301d1b036e66731b166c756379325f3130672e667265632e62756c6c2e6672a381b33081b0a003020101a103020105a281a30481a0920726229e3d7c5807eb735204e7391e36b9dc597bc27c53a7b6dc97130781e6cacab0eb2e305bea7f63f2dcfdde781ec4eb9cb892f81a3627ef3061f5b58a671cf82956cf186f542abfa7cf81e00a347b3...
in_handle:
length 0

in_tok:
length 467

  0000: 6082 01cf 0609 2a86 4886 f712 0102 0201  `.....*.H.......
  0010: 006e 8201 be30 8201 baa0 0302 0105 a103  .n...0..........
  0020: 0201 0ea2 0703 0500 2000 0000 a381 fb61  ........ ......a
  0030: 81f8 3081 f5a0 0302 0105 a10e 1b0c 4652  ..0...........FR
  0040: 4543 2e42 554c 4c2e 4652 a228 3026 a003  EC.BULL.FR.(0&..
  0050: 0201 03a1 1f30 1d1b 036e 6673 1b16 6c75  .....0...nfs..lu
  0060: 6379 325f 3130 672e 6672 6563 2e62 756c  cy2_10g.frec.bul
  0070: 6c2e 6672 a381 b330 81b0 a003 0201 01a1  l.fr...0........
  0080: 0302 0105 a281 a304 81a0 9207 2622 9e3d  ............&".=
  0090: 7c58 07eb 7352 04e7 391e 36b9 dc59 7bc2  |X..sR..9.6..Y{.
  00a0: 7c53 a7b6 dc97 1307 81e6 caca b0eb 2e30  |S.............0
  00b0: 5bea 7f63 f2dc fdde 781e c4eb 9cb8 92f8  [..c....x.......
  00c0: 1a36 27ef 3061 f5b5 8a67 1cf8 2956 cf18  .6'.0a...g..)V..
  00d0: 6f54 2abf a7cf 81e0 0a34 7b30 6848 0cfe  oT*......4{0hH..
  00e0: a4d5 6f47 3c5d a8ce 2de3 b93c 559d b945  ..oG<]..-..<U..E
  00f0: 1c1d f25a 5581 1092 4fa5 538f a516 0647  ...ZU...O.S....G
  0100: 4024 50ce 4dd5 2cf9 c6f1 cd3c e466 3708  @$P.M.,....<.f7.
  0110: cb7d 3f76 f163 9710 fe65 0bc8 8c35 80f1  .}?v.c...e...5..
  0120: 71d9 d89c 014f 52f7 7090 a481 a630 81a3  q....OR.p....0..
  0130: a003 0201 01a2 819b 0481 98b0 33f4 f1cc  ............3...
  0140: 6b4b 65f6 fcf0 ac35 f823 a141 e06c 26af  kKe....5.#.A.l&.
  0150: 6435 eb95 8a6f abc4 67dd 489e cdc4 55c3  d5...o..g.H...U.
  0160: edd3 de3e f06a dab2 5eec 7ec9 6d76 4d23  ...>.j..^.~.mvM#
  0170: 669c 1a97 6cb4 9404 b237 1f02 e0e2 869c  f...l....7......
  0180: 3edf 6533 e7d6 2be7 4d00 1a43 d30b 7470  >.e3..+.M..C..tp
  0190: b2ea b3fc 5f38 f8d9 2339 d449 39e9 e93e  ...._8..#9.I9..>
  01a0: 169a 7ca8 8cac 697c b9e7 4a03 522e 656d  ..|...i|..J.R.em
  01b0: 2ca5 4acf adf5 5f4a b4e2 ad2e 8d63 cd52  ,.J..._J.....c.R
  01c0: 7d97 353c 275c 1ef2 1b1d f9ec c648 8286  }.5<'\.......H..
  01d0: 75b4 04                                  u..
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: sname = root at FREC.BULL.FR
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: nss_getpwnam: name 'root at FREC.BULL.FR' domain '(null)': resulting localname 'root'
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: nss_getpwnam: name 'root at FREC.BULL.FR' domain '(null)': resulting localname 'root'
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: serialize_krb5_ctx: serializing keys with enctype 4 and length 8
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: doing downcall
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: \x09000000 2147483647 0 0 7 0 1 2 3 4 6 10 krb5 \x000000000000000000000000000000000000000000000000000000000000000003e37c4643043919090000002a864886f7120102020400000008000000b65452e65273104c040000000800000046a4a216a283e0bc
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: sending null reply
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: writing message: \x \x608201cf06092a864886f71201020201006e8201be308201baa003020105a10302010ea20703050020000000a381fb6181f83081f5a003020105a10e1b0c465245432e42554c4c2e4652a2283026a003020103a11f301d1b036e66731b166c756379325f3130672e667265632e62756c6c2e6672a381b33081b0a003020101a103020105a281a30481a0920726229e3d7c5807eb735204e7391e36b9dc597bc27c53a7b6dc97130781e6cacab0eb2e305bea7f63f2dcfdde781ec4eb9cb892f81a3627ef3061f5b58a671cf82956cf186f542abfa7cf81e00a347b3068480cfea4d56f473c5da8ce2de3b93c5...
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: finished handling null request
Jun22 11:09:38 lucy2 kernel: kernel unaligned access to 0xe000000838c10027, ip=0xa000000204be0e51
Jun22 11:09:38 lucy2 rpc.svcgssd[19713]: entering poll


I use the un-tar'ed libs + nfs-utils you sent me.


Thanks,

Zoltan

FYI... I'll be away next week :-(

More information about the NFSv4 mailing list