problems with sec=krb5
Kevin Coffman
kwc at citi.umich.edu
Thu Mar 29 13:19:53 EDT 2007
On 3/29/07, Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:
> I tried recompiling nfs-utils, but it became quite painful, so I just
> upgrade the system to feisty (uses nfs-utils 1.0.12-4 and kernel 2.6.20)
> without any difficulty at all.
Luckily that is an option for you!
> sec=sys mounts still work, but I notice something odd written to the
> daemon.log:
>
> Mar 29 10:25:15 cselin12 nfsd[4549]: nfssvc: writing fds to kernel
> failed: errno 0 (Success)
>
> Is this indicative of a kernel problem? the mount (sec=sys) seems to
> work properly despite this error message.
I think it is a kernel issue, but it shouldn't affect this.
> sec=krb5 is still not working yet though, but I am getting different
> error messages.
>
> root at cselin12:~# mount -t nfs4 -o sec=krb5
> filesm.ad.engr.uconn.edu:/StaffDirectories/nfs/rohitm /home/rohitm
> Warning: rpc.idmapd appears not to be running.
> All uids will be mapped to the nobody uid.
> mount: permission denied
>
> With debugging turned way up I see:
> Mar 29 11:06:19 cselin12 rpc.idmapd[4699]: New client: 20
> Mar 29 11:06:19 cselin12 rpc.idmapd[4699]: Opened
> /var/lib/nfs/rpc_pipefs/nfs/clnt20/idmap
> Mar 29 11:06:19 cselin12 rpc.idmapd[4699]: New client: 21
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: handling krb5 upcall
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: Using keytab file
> '/etc/krb5.keytab'
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU' are good until 1175216725
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: using
> FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU as credentials cache for
> machine creds
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: using environment variable to
> select krb5 ccache FILE:/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: creating context using fsuid 0
> (save_uid 0)
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: creating tcp client for server
> filesm.ad.engr.uconn.edu
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: creating context with server
> nfs at filesm.ad.engr.uconn.edu
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: DEBUG: serialize_krb5_ctx:
> lucid version!
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: prepare_krb5_rfc1964_buffer:
> serializing keys with enctype 4 and length 8
> Mar 29 11:06:19 cselin12 rpc.gssd[4701]: doing downcall
This looks better on the client side.
Did you update the server's nfs-utils as well? It may have a mapping
problem. Newer nfs-utils will ignore the mapping problem and allow
the mount to succeed (mapping the user to nobody).
Otherwise, are there interesting messages on the server? (because the
client seems happy)
K.C.
More information about the NFSv4
mailing list