NFS4 + Kerberos with AD
Trond Myklebust
trond.myklebust at fys.uio.no
Mon May 19 17:08:29 EDT 2008
On Mon, 2008-05-19 at 15:44 -0400, Grover, Justin N. wrote:
> Ah, that was helpful in giving me some more information to work with, thanks ben.
>
> I can indeed see the token being sent. The token is of size 1281, and I can see in plain-text the realm, the host, and the server address towards the beginning of the token.
>
> Following that, it looks like encoding of the buffer and credentials are successful in authgss_marshal(). encoding is also successful in the authgss_wrap() step.
>
> Then I get the following:
> authgss_create_default: freeing name 0x80693360:1281
> WARNING: Failed to create krb5 context for user with uid 0 for server nfsserver.example.com
> WARNING: Failed to create krb5 context for user with credentials cache FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfsserver.example.com
> WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server nfsserver.example.com.
>
>
> Now here's a question: why is it attempting to 'create context' for uid 0? The root account is disabled in ubuntu by default. In my keytab creation, I told it to map to a specific domain username... any ideas?
You are probably running 'sudo mount', right? That causes the mount
process to run as a root process. However, unless you are running with
the '-n' option, the rpc.gssd daemon will treat uid 0 as 'special', and
will look for a machine credential for the principal
'nfs/<fqdn>@<REALM>' in the keytab file /etc/krb5.keytab.
Have you, BTW, had a read through Mike Eisler's blog on how to set up
the keytabs from a Windows AD service? You can find it on
http://nfsworld.blogspot.com/2005_06_01_archive.html
Trond
More information about the NFSv4
mailing list