NFS4 + Kerberos with AD
Grover, Justin N.
Justin.Grover at ic.fbi.gov
Wed May 14 15:46:03 EDT 2008
I am now using DES-CBC-CRC, and still running into the same issue. Figures... :-p
I also did a packet trace using tcpdump, and will provide packet header information below (note MAC addresses / IPs are not actual):
FROM nfsclient TO ActiveDirectory:
15:05:00 00:11:22:aa:bb:cc, ethertype IPv4 (0x0800), length 1404: (tos 0x0, ttl 64, id 33187, offset 0, flags [DF], proto UDP (17), length 1390) 192.168.1.30.32782 > 192.168.1.200.88: [bad udp cksum c54e!]
FROM ActiveDirectory TO nfsclient:
15:05:00 00:11:22:66:77:ee > 00:11:22:aa:bb:cc, ethertype IPv4 (0x0800), length 1384: (tos 0x0, ttl 128, id 8296, offset 0, flags [none], proto UDP (17), length 1370) 192.168.1.200.88 > 192.168.1.30.32782: [udp sum ok]
FROM nfsclient TO nfsserver:
15:05:00 00:11:22:aa:bb:cc > 00:22:33:aa:cc:dd , ethertype IPv4 (0x0800), length 1418: (tos: 0x0, ttl 64, id 26804, offset 0, flags [DF], proto TCP (6), length 1404) 192.168.1.30.1193293888 > 192.168.1.100.2049: 1352 null
FROM nfsserver TO nfsclient:
15:05:00 00:22:33:aa:cc:dd, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.2049 > 192.168.1.30.0: reply ERR 0: RPC Version mismatch (167772160-0)
________________________________________
From: kwcoffman at gmail.com [kwcoffman at gmail.com] On Behalf Of Kevin Coffman [kwc at citi.umich.edu]
Sent: Wednesday, May 14, 2008 9:42 AM
To: Grover, Justin N.
Cc: J. Bruce Fields; nfsv4
Subject: Re: NFS4 + Kerberos with AD
On Tue, May 13, 2008 at 6:42 PM, J. Bruce Fields <bfields at fieldses.org> wrote:
> On Tue, May 13, 2008 at 05:35:32PM -0400, Grover, Justin N. wrote:
> > I will try creating the keytabs with des-cbc-crc and report back with findings when I can...
> >
> > Also Kevin, is there a way to specify the svcgssd service to startup last in
> > the nfs-kernel-server startup? With the -vvvf option, when I do an
> > /etc/init.d/nfs-kernel-server restart, the process hangs in the foreground
> > when svcgssd starts (making it so mountd doesn't get started).
> >
>
> Just drop the "f" and it'll put itself in the background and log the
> results as usual.
>
> Or you can just kill the rpc.svcgssd that the init scripts started and
> run your own with -vvvf and watch the output in the terminal.
Yes, this is what I intended. However, after looking at the code
again, newer versions of svcgssd will only log the token data when
running in the foreground in a terminal *and* when compiled with DEBUG
defined.
Therefore, a packet trace showing the token being sent from the client
would be most helpful...
More information about the NFSv4
mailing list