gssd/kerb5 error, maybe keytab issue

Mon May 21 04:27:05 EDT 2007

Hello!

I am trying to setup nfsv4 with sec=krb5 and Active Directory as KDC.  
I got it running when exporting the keytab entries wit "ktpass" on  
the domain controller.  For our automated linux client installation,  
I want to "fetch" the keytab to the client. I am using a utility  
called "VAS" (www.vintela.com) for doing the mapping to the nfs/- 
principal and for getting the keytab. The file /etc/krb5.keytab is  
stored in the correct encryption format:

--- snip ---
[root at dolly ~]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l -e
slot KVNO Principal
---- ----  
---------------------------------------------------------------------
    1    2                   dolly-nfs at MICRONAS.COM (ArcFour with  
HMAC/md5)
    2    2      nfs/dolly.micronas.com at MICRONAS.COM (ArcFour with  
HMAC/md5)
    3    3      nfs/dolly.micronas.com at MICRONAS.COM (ArcFour with  
HMAC/md5)
    4    3                   dolly-nfs at MICRONAS.COM (ArcFour with  
HMAC/md5)
    5    3      nfs/dolly.micronas.com at MICRONAS.COM (DES cbc mode  
with CRC-32)
    6    3                   dolly-nfs at MICRONAS.COM (DES cbc mode  
with CRC-32)
    7    3      nfs/dolly.micronas.com at MICRONAS.COM (DES cbc mode  
with RSA-MD5)
    8    3                   dolly-nfs at MICRONAS.COM (DES cbc mode  
with RSA-MD5)
--- snip ---

Also rpc.gssd seems to understand this file:

--- snip
[root at dolly ~]#  /etc/rc.d/init.d/rpcgssd start

May 21 10:17:53 dolly rpc.gssd[7571]: rpcsec_gss: debug level is 8
May 21 10:17:53 dolly rpc.gssd[7572]: Using keytab file '/etc/ 
krb5.keytab'
May 21 10:17:53 dolly rpc.gssd[7572]: Processing keytab entry for  
principal 'dolly-nfs at MICRONAS.COM'
May 21 10:17:53 dolly rpc.gssd[7572]: We will NOT use this entry  
(dolly-nfs at MICRONAS.COM)
May 21 10:17:53 dolly rpc.gssd[7572]: Processing keytab entry for  
principal 'nfs/dolly.micronas.com at MICRONAS.COM'
May 21 10:17:53 dolly rpc.gssd[7572]: We will use this entry (nfs/ 
dolly.micronas.com at MICRONAS.COM)
May 21 10:17:53 dolly rpc.gssd[7572]: Processing keytab entry for  
principal 'nfs/dolly.micronas.com at MICRONAS.COM'
May 21 10:17:53 dolly rpc.gssd[7572]: We will NOT use this entry (nfs/ 
dolly.micronas.com at MICRONAS.COM)

[...]

May 21 10:17:55 dolly rpc.gssd[7572]: processing client list
--- snip ---

Problems occur when I try to mount a nfs share with secure nfs enabled:

--- snip again ---
[root at dolly ~]# mount -t nfs4 -o sec=krb5 whiskas:/export/nfs4 /mnt

May 21 10:23:11 dolly rpc.gssd[7572]: processing client list
May 21 10:23:11 dolly rpc.gssd[7572]: handling krb5 upcall
May 21 10:23:11 dolly rpc.gssd[7572]: Using keytab file '/etc/ 
krb5.keytab'
May 21 10:23:11 dolly rpc.gssd[7572]: INFO: Credentials in CC 'FILE:/ 
tmp/krb5cc_machine_MICRONAS.COM' are good until 1179771475
May 21 10:23:11 dolly rpc.gssd[7572]: using FILE:/tmp/ 
krb5cc_machine_MICRONAS.COM as credentials cache for machine creds
May 21 10:23:11 dolly rpc.gssd[7572]: creating context using euid 0  
(save_uid 0)
May 21 10:23:11 dolly rpc.gssd[7572]: creating tcp client for server  
whiskas
May 21 10:23:11 dolly rpc.idmapd[6591]: New client: a
May 21 10:23:11 dolly rpc.idmapd[6591]: Opened /var/lib/nfs/ 
rpc_pipefs/nfs/clnta/idmap
May 21 10:23:11 dolly rpc.gssd[7572]: creating context with server  
nfs at whiskas
May 21 10:23:11 dolly rpc.gssd[7572]: in authgss_create_default()
May 21 10:23:11 dolly rpc.gssd[7572]: in authgss_create()
May 21 10:23:11 dolly rpc.gssd[7572]: authgss_create: name is 0x50d740
May 21 10:23:11 dolly rpc.gssd[7572]: authgss_create: gd->name is  
0x510e80
May 21 10:23:11 dolly rpc.gssd[7572]: in authgss_refresh()
May 21 10:23:11 dolly rpc.gssd[7572]: struct rpc_gss_sec:
May 21 10:23:11 dolly rpc.gssd[7572]:      mechanism_OID: { 1 2 134  
72 134 247 18 1 2 2 }
May 21 10:23:11 dolly rpc.gssd[7572]:      qop: 0
May 21 10:23:11 dolly rpc.gssd[7572]:      service: 1
May 21 10:23:11 dolly rpc.gssd[7572]:      cred: (nil)
May 21 10:23:11 dolly rpc.gssd[7572]:      req_flags: 00000002
May 21 10:23:12 dolly rpc.gssd[7572]: rpcsec_gss:  
gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown  
code krb5 7
May 21 10:23:12 dolly rpc.gssd[7572]: in authgss_destroy()
May 21 10:23:12 dolly rpc.gssd[7572]: in authgss_destroy_context()
May 21 10:23:12 dolly rpc.gssd[7572]: authgss_destroy: freeing name  
0x510e80
May 21 10:23:12 dolly rpc.gssd[7572]: authgss_create_default: freeing  
name 0x50d740
May 21 10:23:12 dolly rpc.gssd[7572]: WARNING: Failed to create krb5  
context for user with uid 0 for server whiskas
May 21 10:23:12 dolly rpc.gssd[7572]: WARNING: Failed to create krb5  
context for user with uid 0 with credentials cache FILE:/tmp/ 
krb5cc_machine_MICRONAS.COM for server whiskas
May 21 10:23:12 dolly rpc.gssd[7572]: WARNING: Failed to create krb5  
context for user with uid 0 with any credentials cache for server  
whiskas
May 21 10:23:12 dolly rpc.gssd[7572]: doing error downcall
May 21 10:23:12 dolly rpc.idmapd[6591]: Stale client: a
May 21 10:23:12 dolly rpc.idmapd[6591]:         -> closed /var/lib/ 
nfs/rpc_pipefs/nfs/clnta/idmap
May 21 10:23:12 dolly rpc.gssd[7572]: processing client list
[...]
--- snip ---

When I export the keytab file on the domain controller itself and  
copy it to the linux client, things are working smoothly. Things look  
wired to me in this line:

May 21 10:23:12 dolly rpc.gssd[7572]: rpcsec_gss:  
gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown  
code krb5 7

Some data about my machine:
[root at dolly ~]# uname -a
Linux dolly 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:32:02 EDT 2006 x86_64  
x86_64 x86_64 GNU/Linux

[root at dolly ~]# rpm -qa|grep nfs
nfs-utils-1.0.6-80.EL4
system-config-nfs-1.2.8-1
nfs-utils-lib-1.0.6-8

[root at dolly ~]# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)

Any pointers into the right direction would be very nice!

Thanks in advance!
   Markus

Micronas GmbH
Company Headquarters / Sitz der Gesellschaft: Freiburg i. Br. - Municipal Court of / Amtsgericht: Freiburg i. Br. HRB 428. VAT ID / USt-IdNr.: DE 811127087
Management / Geschaftsfuhrung: Dr. Wolfgang Kalsbach, Chairman / Vorsitzender, Hans-Jurgen Desor, Klaus Heberle,
Nikolaus V. Kaeppeler, Wilfried Lowinski, Dirk Wieberneit, Wolfgang Kuhn - Chairman of Supervisory Board / Vorsitzender des Aufsichtsrats: Heinrich W. Kreutzer