NFS4 + Kerberos with AD

J. Bruce Fields bfields at fieldses.org
Wed May 28 14:39:19 EDT 2008 

On Wed, May 28, 2008 at 02:36:39PM -0400, Kevin Coffman wrote:
> The server itself runs in the kernel.  I'm not sure exactly what the
> ubuntu script starts.  I'm assuming it starts rpc.svcgssd, rpc.idmapd,
> and maybe other things.  As long as you built and installed the
> nfs-utils pieces in the normal ubuntu location (/usr/sbin/rpc.* by
> default), that script should still be usable (AFAIK).

Yup.  Looks like there's also a variable you could set at the top of
/etc/init.d/nfs-kernel-server:

	...
	#DESC="NFS kernel daemon"
	PREFIX=/usr

So you could change that to /usr/local/ or whatever, depending on where
you installed the locally-built stuff.

--b.

> 
> On Wed, May 28, 2008 at 11:21 AM, Grover, Justin N.
> <Justin.Grover at ic.fbi.gov> wrote:
> > Kevin & all,
> >
> > Assuming that something was forgotten out of the ubuntu package I was using, I decided to attempt installing the nfs server from source.
> >
> > I grabbed the latest versions of nfs-utils (1.1.2) and was able to successfully run:
> >
> > ./configure
> > make
> > make install
> >
> > Under the comfort of ubuntu packaging before, I was able to start the server by using /etc/init.d/nfs-kernel-server start.  Now that I've installed from source pkg, I'm a bit unsure of how to start the service.  Any help on how to do this would be appreciated!
> >
> > Justin
> >
> >
> > ________________________________________
> > From: kwcoffman at gmail.com [kwcoffman at gmail.com] On Behalf Of Kevin Coffman [kwc at citi.umich.edu]
> > Sent: Wednesday, May 14, 2008 4:27 PM
> > To: Grover, Justin N.
> > Cc: J. Bruce Fields; nfsv4
> > Subject: Re: NFS4 + Kerberos with AD
> >
> > Thanks Justin,
> > I assume from your email address that is as much as you can share.  It
> > appears that the size of the packet from the nfsclient to nfsserver is
> > reasonable for a GSS token.  I'm assuming something is getting mixed
> > up while sending that token up from the kernel to svcgssd.
> >
> > Back to the basics.  For the client and server machines:
> >
> > What kernel version and nfs-utils versions do you have?
> > What Kerberos implementaion and version?
> > What does "ldd /usr/sbin/rpc.svcgssd" on the server machine show?
> >
> > K.C.
> >
> > On Wed, May 14, 2008 at 3:46 PM, Grover, Justin N.
> > <Justin.Grover at ic.fbi.gov> wrote:
> >> I am now using DES-CBC-CRC, and still running into the same issue.  Figures... :-p
> >>
> >> I also did a packet trace using tcpdump, and will provide packet header information below (note MAC addresses / IPs are not actual):
> >>
> >> FROM nfsclient TO ActiveDirectory:
> >> 15:05:00 00:11:22:aa:bb:cc, ethertype IPv4 (0x0800), length 1404: (tos 0x0, ttl 64, id 33187, offset 0, flags [DF], proto UDP (17), length 1390) 192.168.1.30.32782 > 192.168.1.200.88: [bad udp cksum c54e!]
> >>
> >> FROM ActiveDirectory TO nfsclient:
> >> 15:05:00 00:11:22:66:77:ee > 00:11:22:aa:bb:cc, ethertype IPv4 (0x0800), length 1384: (tos 0x0, ttl 128, id 8296, offset 0, flags [none], proto UDP (17), length 1370) 192.168.1.200.88 > 192.168.1.30.32782: [udp sum ok]
> >>
> >> FROM nfsclient TO nfsserver:
> >> 15:05:00 00:11:22:aa:bb:cc > 00:22:33:aa:cc:dd , ethertype IPv4 (0x0800), length 1418: (tos: 0x0, ttl 64, id 26804, offset 0, flags [DF], proto TCP (6), length 1404) 192.168.1.30.1193293888 > 192.168.1.100.2049: 1352 null
> >>
> >> FROM nfsserver TO nfsclient:
> >> 15:05:00 00:22:33:aa:cc:dd, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.2049 > 192.168.1.30.0: reply ERR 0: RPC Version mismatch (167772160-0)
> >>
> >>
> >> ________________________________________
> >> From: kwcoffman at gmail.com [kwcoffman at gmail.com] On Behalf Of Kevin Coffman [kwc at citi.umich.edu]
> >> Sent: Wednesday, May 14, 2008 9:42 AM
> >> To: Grover, Justin N.
> >> Cc: J. Bruce Fields; nfsv4
> >> Subject: Re: NFS4 + Kerberos with AD
> >>
> >> On Tue, May 13, 2008 at 6:42 PM, J. Bruce Fields <bfields at fieldses.org> wrote:
> >>> On Tue, May 13, 2008 at 05:35:32PM -0400, Grover, Justin N. wrote:
> >>>  > I will try creating the keytabs with des-cbc-crc and report back with findings when I can...
> >>>  >
> >>>  > Also Kevin, is there a way to specify the svcgssd service to startup last in
> >>>  > the nfs-kernel-server startup?  With the -vvvf option, when I do an
> >>>  > /etc/init.d/nfs-kernel-server restart, the process hangs in the foreground
> >>>  > when svcgssd starts (making it so mountd doesn't get started).
> >>>  >
> >>>
> >>>  Just drop the "f" and it'll put itself in the background and log the
> >>>  results as usual.
> >>>
> >>>  Or you can just kill the rpc.svcgssd that the init scripts started and
> >>>  run your own with -vvvf and watch the output in the terminal.
> >>
> >> Yes, this is what I intended.  However, after looking at the code
> >> again, newer versions of svcgssd will only log the token data when
> >> running in the foreground in a terminal *and* when compiled with DEBUG
> >> defined.
> >>
> >> Therefore, a packet trace showing the token being sent from the client
> >> would be most helpful...
> >>
> >>
> >
> >

More information about the NFSv4 mailing list