Kerberos incompatibilities

Lukas Hejtmanek xhejtman at ics.muni.cz
Tue Sep 4 13:16:10 EDT 2007 

On Tue, Sep 04, 2007 at 11:39:19AM -0400, Kevin Coffman wrote:
> This is not a known problem.  This looks like MIT Kerberos, correct?

Yes, it is MIT Kerberos.

> Could you send the output of "klist -e -k -t" on the unstable client?

klist -e -k -t
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with CRC-32) 
   1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with RSA-MD4) 
   1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with RSA-MD5) 
   1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (Triple DES cbc mode with HMAC/sha1) 


Probably, this is more interesing:
(this is when the client is OK).
$ KRB5CCNAME=/tmp/krb5cc_machine_ICS.MUNI.CZ klist -e 
Ticket cache: FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ
Default principal: host/didas.cesnet.cz at ICS.MUNI.CZ

Valid starting     Expires            Service principal
09/04/07 19:03:58  09/05/07 19:03:57  krbtgt/ICS.MUNI.CZ at ICS.MUNI.CZ
        Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 
09/04/07 19:03:58  09/05/07 19:03:57  nfs/cache04.video.muni.cz at ICS.MUNI.CZ
        Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

(this is when the client is not OK).
$ KRB5CCNAME=/tmp/krb5cc_machine_ICS.MUNI.CZ klist -e Ticket cache: FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ
Default principal: host/didas.cesnet.cz at ICS.MUNI.CZ

Valid starting     Expires            Service principal
09/04/07 19:06:45  09/05/07 19:06:44  krbtgt/ICS.MUNI.CZ at ICS.MUNI.CZ
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 
09/04/07 19:06:45  09/05/07 19:06:44  nfs/cache04.video.muni.cz at ICS.MUNI.CZ
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


> Could you also send me a packet trace from the unstable client (with
> and without the enctypes settings).

The first one is with the setting, the second one is without (i.e., nfs cannot
be mounted). If this is not what you wanted, please let me know, I can I make
the output your you.

Sep  4 19:03:15 didas rpc.gssd[14687]: rpcsec_gss: debug level is 1
Sep  4 19:03:15 didas rpc.gssd[14688]: beginning poll 
Sep  4 19:03:57 didas rpc.gssd[14688]: handling krb5 upcall 
Sep  4 19:03:57 didas rpc.gssd[14688]: Full hostname for 'cache04.video.muni.cz' is 'cache04.video.muni.cz' 
Sep  4 19:03:57 didas rpc.gssd[14688]: Full hostname for 'didas.cesnet.cz' is 'didas.cesnet.cz' 
Sep  4 19:03:57 didas rpc.gssd[14688]: Key table entry not found while getting keytab entry for 'root/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:03:57 didas rpc.gssd[14688]: Key table entry not found while getting keytab entry for 'nfs/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:03:57 didas rpc.gssd[14688]: Success getting keytab entry for 'host/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:03:58 didas rpc.gssd[14688]: Successfully obtained machine credentials for principal 'host/didas.cesnet.cz at ICS.MUNI.CZ' stored in ccache 'FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ' 
Sep  4 19:03:58 didas rpc.gssd[14688]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ' are good until 1189011837 
Sep  4 19:03:58 didas rpc.gssd[14688]: using FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ as credentials cache for machine creds 
Sep  4 19:03:58 didas rpc.gssd[14688]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ
 
Sep  4 19:03:58 didas rpc.gssd[14688]: creating context using fsuid 0 (save_uid 0) 
Sep  4 19:03:58 didas rpc.gssd[14688]: creating tcp client for server cache04.video.muni.cz 
Sep  4 19:03:58 didas rpc.gssd[14688]: creating context with server nfs at cache04.video.muni.cz 
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_create_default()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_create()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_refresh()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_marshal()
Sep  4 19:03:58 didas rpc.gssd[14688]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0)
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_wrap()
Sep  4 19:03:58 didas rpc.gssd[14688]: xdr_rpc_gss_init_args: encode success (token 0x806b9a0:524)
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_validate()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_unwrap()
Sep  4 19:03:58 didas rpc.gssd[14688]: xdr_rpc_gss_init_res decode success (ctx 0x806b6c0:4, maj 0, min 0, win 128, token 0x806b5a8:131)
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_get_private_data()
Sep  4 19:03:58 didas rpc.gssd[14688]: DEBUG: serialize_krb5_ctx: lucid version! 
Sep  4 19:03:58 didas rpc.gssd[14688]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 
Sep  4 19:03:58 didas rpc.gssd[14688]: doing downcall 
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_free_private_data()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_destroy()
Sep  4 19:03:58 didas rpc.gssd[14688]: in authgss_destroy_context()
Sep  4 19:03:58 didas rpc.gssd[14688]: authgss_destroy: freeing name 0x8056850
Sep  4 19:06:15 didas rpc.gssd[14688]: destroying client clnt90 
Sep  4 19:06:15 didas rpc.gssd[14688]: destroying client clnt8f 
Sep  4 19:06:20 didas rpc.gssd[14688]: exiting on signal 15 



Sep  4 19:06:34 didas rpc.statd[14746]: Version 1.1.0 Starting
Sep  4 19:06:34 didas rpc.gssd[14757]: rpcsec_gss: debug level is 1
Sep  4 19:06:34 didas rpc.gssd[14758]: beginning poll 
Sep  4 19:06:44 didas rpc.gssd[14758]: handling krb5 upcall 
Sep  4 19:06:44 didas rpc.gssd[14758]: Full hostname for 'cache04.video.muni.cz' is 'cache04.video.muni.cz' 
Sep  4 19:06:44 didas rpc.gssd[14758]: Full hostname for 'didas.cesnet.cz' is 'didas.cesnet.cz' 
Sep  4 19:06:44 didas rpc.gssd[14758]: Key table entry not found while getting keytab entry for 'root/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:06:44 didas rpc.gssd[14758]: Key table entry not found while getting keytab entry for 'nfs/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:06:44 didas rpc.gssd[14758]: Success getting keytab entry for 'host/didas.cesnet.cz at ICS.MUNI.CZ' 
Sep  4 19:06:45 didas rpc.gssd[14758]: Successfully obtained machine credentials for principal 'host/didas.cesnet.cz at ICS.MUNI.CZ' stored in ccache 'FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ' 
Sep  4 19:06:45 didas rpc.gssd[14758]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ' are good until 1189012004 
Sep  4 19:06:45 didas rpc.gssd[14758]: using FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ as credentials cache for machine creds 
Sep  4 19:06:45 didas rpc.gssd[14758]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ 
Sep  4 19:06:45 didas rpc.gssd[14758]: creating context using fsuid 0 (save_uid 0) 
Sep  4 19:06:45 didas rpc.gssd[14758]: creating tcp client for server cache04.video.muni.cz 
Sep  4 19:06:45 didas rpc.gssd[14758]: creating context with server nfs at cache04.video.muni.cz 
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_create_default()
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_create()
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_refresh()
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_marshal()
Sep  4 19:06:45 didas rpc.gssd[14758]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0)
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_wrap()
Sep  4 19:06:45 didas rpc.gssd[14758]: xdr_rpc_gss_init_args: encode success (token 0x8069340:564)
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_validate()
Sep  4 19:06:45 didas rpc.gssd[14758]: in authgss_unwrap()
Sep  4 19:06:45 didas rpc.gssd[14758]: xdr_rpc_gss_init_res decode success (ctx 0x8069330:4, maj 524288, min 0, win 128, token 0x80696e8:153)
Sep  4 19:06:45 didas rpc.gssd[14758]: WARNING: Failed to create krb5 context for user with uid 0 for server cache04.video.muni.cz 
Sep  4 19:06:45 didas rpc.gssd[14758]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_ICS.MUNI.CZ for server cache04.video.muni.cz 
Sep  4 19:06:45 didas rpc.gssd[14758]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server cache04.video.muni.cz 
Sep  4 19:06:45 didas rpc.gssd[14758]: doing error downcall 
Sep  4 19:06:45 didas rpc.gssd[14758]: destroying client clnt92 
Sep  4 19:06:45 didas rpc.gssd[14758]: destroying client clnt91 


-- 
Lukáš Hejtmánek

More information about the NFSv4 mailing list