NFS4 + Kerberos with AD
J. Bruce Fields
bfields at fieldses.org
Tue May 13 18:42:23 EDT 2008
On Tue, May 13, 2008 at 05:35:32PM -0400, Grover, Justin N. wrote:
> I will try creating the keytabs with des-cbc-crc and report back with findings when I can...
>
> Also Kevin, is there a way to specify the svcgssd service to startup last in the nfs-kernel-server startup? With the -vvvf option, when I do an /etc/init.d/nfs-kernel-server restart, the process hangs in the foreground when svcgssd starts (making it so mountd doesn't get started).
>
Just drop the "f" and it'll put itself in the background and log the
results as usual.
Or you can just kill the rpc.svcgssd that the init scripts started and
run your own with -vvvf and watch the output in the terminal.
--b.
> Justin
>
>
> ________________________________________
> From: kwcoffman at gmail.com [kwcoffman at gmail.com] On Behalf Of Kevin Coffman [kwc at citi.umich.edu]
> Sent: Tuesday, May 13, 2008 3:19 PM
> To: Grover, Justin N.
> Cc: nfsv4
> Subject: Re: NFS4 + Kerberos with AD
>
> Hello Justin,
>
> See my comments below.
>
> On Tue, May 13, 2008 at 1:53 PM, Grover, Justin N.
> <Justin.Grover at ic.fbi.gov> wrote:
> >
> > My Progress:
> > - Used 'ktpass' command on Windows server to create keytab files for both
> > the nfs server and client.
> > - Used the DES-CBC-MD5 encryption type.
> > - Distributed keytab files accordingly to each machine's /etc directory.
> > - Setup file export on NFS server: /files gss/krb5(rw,sync)
> > - Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5
> > nfs-server:/files /mnt/files'
>
> I'm not sure about the use of des-cbc-md5 instead of des-cbc-crc, but
> we'll ignore that for now.
>
>
> > NFS Server Log Output:
> >
> > nfsserver rpc.svcgssd[3320]: leaving poll
> > nfsserver rpc.svcgssd[3320]: handling null request
> > nfsserver rpc.svcgssd[3320]:
> > nfsserver rpc.svcgssd[3320]: in_handle:
> > nfsserver rpc.svcgssd[3320]: length 0
> > nfsserver rpc.svcgssd[3320]:
> > nfsserver rpc.svcgssd[3320]: in_tok:
> > nfsserver rpc.svcgssd[3320]: length -1
> > nfsserver rpc.svcgssd[3320]:
> > nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
> > nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq:
> > gss_accept_sec_context(): A token was invalid - Tokane header is malformed
> > or corrupt
> > nfsserver rpc.svcgssd[3320]: sending null reply
>
> This is where we should look. As it says, the server doesn't like the
> initial gss token sent from the client. Could you send me a network
> trace of this exchange? (Alternately, I think you should actually see
> the token printed out if you run rpc.svcgssd on the server in the
> foreground with "-f -vvv")
>
> Also, Ubuntu has MIT Kerberos? What version?
>
> K.C.
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
More information about the NFSv4
mailing list