problems with sec=krb5

Rohit Kumar Mehta rohitm at engr.uconn.edu
Wed Mar 28 13:35:29 EDT 2007 

I noticed there were quite a few rpc.gssd processes running so I 
rebooted, and now it appears to have made the correct 
krb5cc_machine_AD.ENGR.UCONN.EDU file.

The behavior is still similar, however. (sec=sys mounts work, but 
sec=krb5 mounts do not).  I'm not sure why I'm getting the warning about 
rpc.gssd not running when it clearly is running as well.

root at cselin12:~# mount -t nfs4 -o sec=krb5 
filesm:/StaffDirectories/nfs/rohitm /home/rohitm
Warning: rpc.gssd appears not to be running.
mount: block device filesm:/StaffDirectories/nfs/rohitm is 
write-protected, mounting read-only
Warning: rpc.gssd appears not to be running.
mount: cannot mount block device filesm:/StaffDirectories/nfs/rohitm 
read-only

root at cselin12:~# ps awwux |grep rpc.gssd
root      3841  0.0  0.1  11848  1552 ?        Ss   13:11   0:00 
rpc.gssd -vvvv

Also in the daemon.log now we find some more interesting output:

Mar 28 13:21:18 cselin12 rpc.gssd[3841]: processing client list
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: handling krb5 upcall
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: Using keytab file 
'/etc/krb5.keytab'
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU' are good until 1
175137866
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: using 
FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU as credentials cache for 
machine cre
ds
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating context using euid 0 
(save_uid 0)
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating tcp client for server 
filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating context with server 
nfs at filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 with credentials cache FIL
E:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 with any credentials cache
  for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: doing error downcall
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: processing client list
Mar 28 13:21:18 cselin12 last message repeated 2 times
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: handling krb5 upcall
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: Using keytab file 
'/etc/krb5.keytab'
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU' are good until 1
175137866
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: using 
FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU as credentials cache for 
machine cre
ds
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating context using euid 0 
(save_uid 0)
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating tcp client for server 
filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: creating context with server 
nfs at filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 with credentials cache FIL
E:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: WARNING: Failed to create krb5 
context for user with uid 0 with any credentials cache
  for server filesm
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: doing error downcall
Mar 28 13:21:18 cselin12 rpc.gssd[3841]: processing client list

I have the user rohitm's kerberos credentials, and he owns all the files
in /StaffDirectories/nfs/rohitm.  rohitm is also UID 6557 in NIS, but it 
seems to be trying use the ID of root who is making the mount.  I'm not 
sure if there is some configuration problem I am missing here.

I believe I created the nfs/cselin service principal des-cbc-crc:
root at cselin12:/etc# klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
------------------------------------------------------------------------
    7 host/cselin12.engr.uconn.edu at AD.ENGR.UCONN.EDU (DES cbc mode with 
RSA-MD5)
    9 nfs/cselin12.engr.uconn.edu at AD.ENGR.UCONN.EDU (DES cbc mode with 
CRC-32)

Now one thing I might have done wrong is mapping both the 
host/cselin12.engr.uconn.edu and the nfs/cselin12.engr.uconn.edu service 
principals to the same username in the Active Directory.  I am not sure 
if that is a problem or not.

Right now the nfs-utils is the standard one that comes with Ubuntu 
Dapper.  It appears to be 1.0.7-3ubuntu2.

Attached are the tcpdumps gssd.nfs.pcap (communications to nfs server 88 
packets) and gssd.kdc.pcap (communications to kdc 0 packets).

Thanks so much for your help!

Rohit

Kevin Coffman wrote:
> On 3/28/07, Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:
> 
>>
>> I did create it in AD and add it to the /etc/krb5.keytab.
>>
> 
> Your keytab looks OK (assuming that lone nfs key is des-cbc-crc)
> ("klist -e -k" as root)
> Your krb5.conf file looks OK.
> 
> What version of nfs-utils are you using and what options are you
> specifying to gssd?  If you have a newer version of nfs-utils and
> using a memory credentials cache, that may explain why the
> krb5cc_machine_REALM ccache is not being seen in /tmp.  If that is the
> case, you might drop "-M" option temporarily until we figure out the
> problem.
> 
> It would be interesting to see what kind of service ticket the client
> is requesting.  Could you get a network trace from the client with
> traffic between it and both the KDC and the NFS server?  Get the trace
> from gssd startup through the mount attempt.
>  tcpdump -s0 -w /tmp/gssd.pcap host KDC-HOST or host NFS-SERVER
> 
> K.C.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gssd.nfs.pcap
Type: application/octet-stream
Size: 10584 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20070328/68f9fd36/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gssd.kdc.pcap
Type: application/octet-stream
Size: 24 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20070328/68f9fd36/attachment-0001.obj

More information about the NFSv4 mailing list