NFS4 + Kerberos with AD

Grover, Justin N. Justin.Grover at ic.fbi.gov
Tue May 13 17:35:32 EDT 2008 

I will try creating the keytabs with des-cbc-crc and report back with findings when I can...

Also Kevin, is there a way to specify the svcgssd service to startup last in the nfs-kernel-server startup?  With the -vvvf option, when I do an /etc/init.d/nfs-kernel-server restart, the process hangs in the foreground when svcgssd starts (making it so mountd doesn't get started).

Justin


________________________________________
From: kwcoffman at gmail.com [kwcoffman at gmail.com] On Behalf Of Kevin Coffman [kwc at citi.umich.edu]
Sent: Tuesday, May 13, 2008 3:19 PM
To: Grover, Justin N.
Cc: nfsv4
Subject: Re: NFS4 + Kerberos with AD

Hello Justin,

See my comments below.

On Tue, May 13, 2008 at 1:53 PM, Grover, Justin N.
<Justin.Grover at ic.fbi.gov> wrote:
>
> My Progress:
> - Used 'ktpass' command on Windows server to create keytab files for both
> the nfs server and client.
> - Used the DES-CBC-MD5 encryption type.
> - Distributed keytab files accordingly to each machine's /etc directory.
> - Setup file export on NFS server: /files gss/krb5(rw,sync)
> - Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5
> nfs-server:/files /mnt/files'

I'm not sure about the use of des-cbc-md5 instead of des-cbc-crc, but
we'll ignore that for now.


> NFS Server Log Output:
>
> nfsserver rpc.svcgssd[3320]: leaving poll
> nfsserver rpc.svcgssd[3320]: handling null request
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_handle:
> nfsserver rpc.svcgssd[3320]: length 0
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_tok:
> nfsserver rpc.svcgssd[3320]: length -1
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
> nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): A token was invalid - Tokane header is malformed
> or corrupt
> nfsserver rpc.svcgssd[3320]: sending null reply

This is where we should look.  As it says, the server doesn't like the
initial gss token sent from the client.  Could you send me a network
trace of this exchange?  (Alternately, I think you should actually see
the token printed out if you run rpc.svcgssd on the server in the
foreground with "-f -vvv")

Also, Ubuntu has MIT Kerberos?  What version?

K.C.

More information about the NFSv4 mailing list