NFS4 + Kerberos with AD
Kevin Coffman
kwc at citi.umich.edu
Tue May 13 15:19:03 EDT 2008
Hello Justin,
See my comments below.
On Tue, May 13, 2008 at 1:53 PM, Grover, Justin N.
<Justin.Grover at ic.fbi.gov> wrote:
>
> My Progress:
> - Used 'ktpass' command on Windows server to create keytab files for both
> the nfs server and client.
> - Used the DES-CBC-MD5 encryption type.
> - Distributed keytab files accordingly to each machine's /etc directory.
> - Setup file export on NFS server: /files gss/krb5(rw,sync)
> - Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5
> nfs-server:/files /mnt/files'
I'm not sure about the use of des-cbc-md5 instead of des-cbc-crc, but
we'll ignore that for now.
> NFS Server Log Output:
>
> nfsserver rpc.svcgssd[3320]: leaving poll
> nfsserver rpc.svcgssd[3320]: handling null request
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_handle:
> nfsserver rpc.svcgssd[3320]: length 0
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_tok:
> nfsserver rpc.svcgssd[3320]: length -1
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
> nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): A token was invalid - Tokane header is malformed
> or corrupt
> nfsserver rpc.svcgssd[3320]: sending null reply
This is where we should look. As it says, the server doesn't like the
initial gss token sent from the client. Could you send me a network
trace of this exchange? (Alternately, I think you should actually see
the token printed out if you run rpc.svcgssd on the server in the
foreground with "-f -vvv")
Also, Ubuntu has MIT Kerberos? What version?
K.C.
More information about the NFSv4
mailing list