[LONG] Kerberized NFSv4: rpc.idmapd only "sees" root principal
Holger Rauch
holger.rauch at empic.de
Fri Oct 30 10:23:01 EDT 2009
Ok, replying to my own mail since after the reboot, I couldn't mount
the file system at all (access denied by server). Here are the
contents of /var/log/daemon (manual mount on the server using "sudo
/mnt/user" as user) after logging in using the kerberized account.
===
Oct 30 15:08:31 server rpc.idmapd[6413]: New client: 6
Oct 30 15:08:31 server rpc.idmapd[6413]: New client: 7
Oct 30 15:08:31 server rpc.gssd[5091]: handling krb5 upcall
Oct 30 15:08:31 server rpc.idmapd[6413]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt6/idmap
Oct 30 15:08:31 server rpc.gssd[5091]: Full hostname for
'server.my.domain' is 'server.my.domain'
Oct 30 15:08:31 server rpc.gssd[5091]: Full hostname for
'server.my.domain' is 'server.my.domain'
Oct 30 15:08:31 server rpc.gssd[5091]: Success getting keytab entry
for 'root/server.my.domain at MYREALM'
Oct 30 15:08:31 server rpc.gssd[5091]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_MYREALM' are good until 1256968212
Oct 30 15:08:31 server rpc.gssd[5091]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_MYREALM' are good until 1256968212
Oct 30 15:08:31 server rpc.gssd[5091]: using
FILE:/tmp/krb5cc_machine_MYREALM as credentials cache for
machine creds
Oct 30 15:08:31 server rpc.gssd[5091]: using environment variable to
select krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM
Oct 30 15:08:31 server rpc.gssd[5091]: creating context using fsuid
0 (save_uid 0)
Oct 30 15:08:31 server rpc.gssd[5091]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
more information - No credentials cache found
Oct 30 15:08:31 server rpc.gssd[5091]: WARNING: Failed while
limiting krb5 encryption types for user with uid 0
Oct 30 15:08:31 server rpc.gssd[5091]: WARNING: Failed to create
krb5 context for user with uid 0 with credentials cache
FILE:/tmp/krb5cc_machine_MYREALM for server server.my.domain
Oct 30 15:08:31 server rpc.gssd[5091]: WARNING: Failed to create
krb5 context for user with uid 0 with any credentials cache for server
server.my.domain
Oct 30 15:08:31 server rpc.gssd[5091]: doing error downcall
Oct 30 15:08:31 server rpc.gssd[5091]: Failed to write error downcall!
Oct 30 15:08:31 server rpc.gssd[5091]: destroying client clnt7
Oct 30 15:08:31 server rpc.gssd[5091]: destroying client clnt6
Oct 30 15:08:31 server rpc.idmapd[6413]: Stale client: 6
Oct 30 15:08:31 server rpc.idmapd[6413]: #011-> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt6/idmap
Oct 30 15:08:31 server rpc.idmapd[6413]: Stale client: 7
Oct 30 15:08:31 server rpc.idmapd[6413]: #011-> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt7/idmap
===
Do I have to specify des-cbc-crc:normal as the default encryption type
in my /etc/krb5.conf file? Maybe someone could mail me his krb5.conf
file (especially the default and supported encryption types, so that I
can compare them to my settings).
Thanks & kind regards,
Holger
On Fri, 30 Oct 2009, Holger Rauch wrote:
> Hi Kevin,
>
> I just tried the mount and got this on the server (kernel bug related
> to SMP???):
>
> ===
>
> [293129.713637] nfsd: last server has exited
> [293129.716337] nfsd: unexporting all filesystems
> [293148.816406] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state
> recovery directory
> [293148.826971] NFSD: starting 90-second grace period
> [293192.610697] ------------[ cut here ]------------
> [293192.610697] kernel BUG at include/linux/module.h:386!
> [293192.610697] invalid opcode: 0000 [1] SMP
> [293192.610697] CPU 0
> [293192.610697] Modules linked in: iptable_filter ip_tables x_tables
> des_generic cbc crypto_blkcipher ppdev parport_pc lp parport autofs4
> ipv6 rpcsec_gss_krb5 nfs nfsd lockd nfs_acl auth_rpcgss sunrpc
> exportfs loop i2c_i801 pcspkr psmouse snd_pcm snd_timer snd soundcore
> snd_page_alloc serio_raw i2c_core rng_core button intel_agp joydev
> evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod raid456
> md_mod async_xor async_memcpy async_tx xor ide_pci_generic ide_core
> usbhid hid ff_memless usb_storage ata_piix sd_mod ata_generic ehci_hcd
> uhci_hcd tg3 sata_mv libata scsi_mod dock thermal processor fan
> thermal_sys [last unloaded: scsi_wait_scan]
> [293192.610697] Pid: 22957, comm: nfsd Not tainted 2.6.26-2-amd64 #1
> [293192.610697] RIP: 0010:[<ffffffffa024ae5b>] [<ffffffffa024ae5b>]
> :sunrpc:svc_recv+0x41d/0x70e
> [293192.610697] RSP: 0018:ffff81007a9e1e90 EFLAGS: 00010246
> [293192.610697] RAX: 0000000000000000 RBX: ffffffffa0262d80 RCX:
> 0000000000000000
> [293192.610697] RDX: 0000000000001000 RSI: ffff81007a9e1db0 RDI:
> ffffffffa0262d80
> [293192.610697] RBP: ffff81006c062000 R08: ffff81006bdb02c0 R09:
> 0000000000000000
> [293192.610697] R10: ffff8100010178f0 R11: ffffffff803fe9b8 R12:
> ffff810037846800
> [293192.610697] R13: ffff81006c140c00 R14: ffff810062d26ac0 R15:
> ffff81006bc43880
> [293192.610697] FS: 00007fa0356a96e0(0000) GS:ffffffff8053c000(0000)
> knlGS:0000000000000000
> [293192.610697] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [293192.610697] CR2: 00007f6b6f1f4d5b CR3: 0000000000201000 CR4:
> 00000000000006e0
> [293192.610697] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [293192.610697] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
> 0000000000000400
> [293192.610697] Process nfsd (pid: 22957, threadinfo ffff81007a9e0000,
> task ffff81007ddc9770)
> [293192.610697] Stack: ffff8100208d0f60 00000000000dbba0
> 0000000000000000 ffff81007ddc9770
> [293192.610697] ffffffff8022c264 0000000000100100 0000000000200200
> 0000000000000286
> [293192.610697] ffffffff804f9b20 ffff81007cd6dbc0 ffff81006c062000
> ffffffffa028c67c
> [293192.610697] Call Trace:
> [293192.610697] [<ffffffff8022c264>] ? default_wake_function+0x0/0xe
> [293192.610697] [<ffffffffa028c67c>] ? :nfsd:nfsd+0x0/0x2a4
> [293192.610697] [<ffffffffa028c767>] ? :nfsd:nfsd+0xeb/0x2a4
> [293192.610697] [<ffffffff802301e9>] ? schedule_tail+0x27/0x5c
> [293192.610697] [<ffffffff8020cf28>] ? child_rip+0xa/0x12
> [293192.610697] [<ffffffffa028c67c>] ? :nfsd:nfsd+0x0/0x2a4
> [293192.610697] [<ffffffffa028c67c>] ? :nfsd:nfsd+0x0/0x2a4
> [293192.610697] [<ffffffffa028c67c>] ? :nfsd:nfsd+0x0/0x2a4
> [293192.610697] [<ffffffff8020cf1e>] ? child_rip+0x0/0x12
> [293192.610697]
> [293192.610697]
> [293192.610697] Code: 08 4c 89 e7 ff 50 08 48 85 c0 49 89 c5 0f 84 48
> 01 00 00 48 8b 00 48 8b 58 08 48 85 db 74 26 48 89 df e8 f0 74 00 e0
> 85 c0 75 04 <0f> 0b eb fe 65 8b 04 25 24 00 00 00 89 c0 48 c1 e0 07 48
> ff 84
> [293192.610697] RIP [<ffffffffa024ae5b>] :sunrpc:svc_recv+0x41d/0x70e
> [293192.610697] RSP <ffff81007a9e1e90>
> [293192.898522] ---[ end trace 3a47c0344b51ddce ]---
>
> ===
>
> I also commented out the default-enctypes and supported-enctypes
> options in my /etc/krb5.conf, hoping that the defaults are safe. Will
> now do a reboot of the NFS server to see whether the problem persists.
>
> The system I'm running this on is a QNAP TS-809. Output of "cat
> /proc/cpuinfo" (not sure whether it's relevant):
>
> ===
>
> rocessor : 0
> vendor_id : GenuineIntel
> cpu family : 6
> model : 23
> model name : Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
> stepping : 10
> cpu MHz : 2792.985
> cache size : 3072 KB
> physical id : 0
> siblings : 2
> core id : 0
> cpu cores : 2
> apicid : 0
> initial apicid : 0
> fpu : yes
> fpu_exception : yes
> cpuid level : 13
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
> pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
> syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor
> ds_cpl est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
> bogomips : 5590.27
> clflush size : 64
> cache_alignment : 64
> address sizes : 36 bits physical, 48 bits virtual
> power management:
>
> processor : 1
> vendor_id : GenuineIntel
> cpu family : 6
> model : 23
> model name : Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
> stepping : 10
> cpu MHz : 2792.985
> cache size : 3072 KB
> physical id : 0
> siblings : 2
> core id : 1
> cpu cores : 2
> apicid : 1
> initial apicid : 1
> fpu : yes
> fpu_exception : yes
> cpuid level : 13
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
> pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
> syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor
> ds_cpl est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
> bogomips : 5585.96
> clflush size : 64
> cache_alignment : 64
> address sizes : 36 bits physical, 48 bits virtual
> power management:
>
> ===
>
> Kind regards,
>
> Holger
>
> On Thu, 29 Oct 2009, Kevin Coffman wrote:
>
> > [...]
> > However, the glaring problem is this:
> >
> > > 3 nfs/server.my.domain at MYREALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
> > > 3 nfs/server.my.domain at MYREALM (Triple DES cbc mode with HMAC/sha1)
> >
> > The Linux NFS kernel code currently can only handle des-cbc-crc. You
> > must create the server's (and client's) nfs keytab with _only_ a
> > des-cbc-crc key. See
> > http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html.
> > [...]
--
=========================================
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX
Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch at empic.de
=========================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://linux-nfs.org/pipermail/nfsv4/attachments/20091030/d8951442/attachment.pgp>
More information about the NFSv4
mailing list