You are not logged in.
Hi,
any ideas whats the error messages mean?
rpc.gssd:
handling krb5 upcall
Full hostname for 'night_crawler.localdomain.de' is
'night_crawler.localdomain.de'
Full hostname for 'wf.localdomain.de' is 'wf.localdomain.de'
Failed to find root/wf.localdomain.de@LOCALDOMAIN.DE in keytab
FILE:/etc/krb5.keytab (null) while getting keytab entry for
'root/wf.localdomain.de@LOCALDOMAIN.DE'
Success getting keytab entry for 'nfs/wf.localdomain.de@LOCALDOMAIN.DE'
Successfully obtained machine credentials for principal
'nfs/wf.localdomain.de@LOCALDOMAIN.DE' stored in ccache
'FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE' are
good until 1233064732
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE' are
good until 1233064499
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE' are
good until 1233064431
using FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE as credentials cache for
machine creds
using gss_krb5_ccache_name to select krb5 ccache
FILE:/tmp/krb5cc_machine_LOCALDOMAIN.DE
creating context using fsuid 0 (save_uid 0)
creating tcp client for server night_crawler.localdomain.de
creating context with server nfs@night_crawler.localdomain.de
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: overriding heimdal keytype (1 => 4)
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length
8
ERROR: GSS-API: error in gss_krb5_export_lucid_sec_context():
Miscellaneous failure (see text) - unknown mech-code 0 for mech 1 2 840
113554 1 2 2
WARN: failed to free lucid sec context
doing downcall
destroying client clnt13
destroying client clnt12
rpc.svcgssd:
entering poll
leaving poll
handling null request
sname = nfs/wf.localdomain.de@LOCALDOMAIN.DE
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc1964_buffer: overriding heimdal keytype (1 => 4)
prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length
8
ERROR: GSS-API: error in gss_krb5_export_lucid_sec_context():
Miscellaneous failure (see text) - unknown mech-code 0 for mech 1 2 840
113554 1 2 2
WARN: failed to free lucid sec context
doing downcall
mech: krb5, hndl len: 4, ctx len 85, timeout: 2147483647, uid: -1, gid:
-1, num aux grps: 0:
sending null reply
writing message: \x
\x6082026c06092a864886f71201020201006e82025b30820257a003020105a10302010ea20703050020000000a3820157618201533082014fa003020105a1101b0e4c4f43414c444f4d41494e2e4445a22e302ca003020101a12530231b036e66731b1c6e696768745f637261776c65722e6c6f63616c646f6d61696e2e6465a382010430820100a003020101a103020101a281f30481f04c2b703964853f2c886823dee31b4f99a03243453c068d8893ad29decc4dca456b4b9fd297587a9c4d8b734f7dedf970fc9cb7c0f572d49713b3e1b2f31002e83a0ae8fb4683410f1491e02bfb1dffc13c551e3163c439f328e0688a4ba6d5a6fd3399a909e399c04df5f0bf21b77c577cfc9eb38012373090f1b0a966205ca8b670a8c5ed06afb7be8ef01510815598fd1a03136bf3baf762bd2b044660088cf51545d248a2cbb59e4c5a67568217e57561f2b598f2ed3b0334c6aaa1ac1f377adefd29178deca3634d39fa93083c8366fdab63a265fadb09555ab9320ecf13419946cf2e95458d23099b239c34ce69a481e63081e3a003020101a281db0481d832f703898fe951a4c48802463772642976ec84218c543ae3149c2fa567dd6dc6fb3510cffaf5f12ec5750d937fa54502a2c2ba515606658add54557a7045faf7c82fd44281fc10e43c0e9017054cedc49b65f1f74ac9f9065a954e2b288163eaa576f82f50cfc6c573ce60aefc3454e4db465949a3527cf5c1ce7726f7d0f0efd8bff7a903b88889a46457da1bf8ad045f6e1f0337ed7d0e372f18c17a9da023db881ea002d84031056e9d569fc0fa60c82010955d91419bf7cdd7392fc69c9b3131e5153dbb4f5683c99956c82d0a323d9d8568f4b4e81b 2147483647 0 0 \x0a000000 \x607006092a864886f71201020202006f61305fa003020105a10302010fa2533051a003020101a24a044874dbcf32bdf40cb6fad7948f3f47e3b7c0e315cf292d56fd21a2deb0cb9ec65c742ca497a045e2e0f4ae0a57e837c579969176dd01a219adcc853e0dda811b05b4a62a3ecd354e0c
finished handling null request
entering pollJulius
Offline
Building nfs4-utils from aur prints this to screen:
==> Starting build()...
patching file aclocal/kerberos5.m4
patching file configure.ac
Hunk #1 succeeded at 191 (offset 6 lines).
Hunk #2 succeeded at 234 (offset 6 lines).
patching file utils/gssd/context_lucid.cmaybe the patch doesnt work that well?
Offline
Hi metalfan,
finally I've tried nfs4 with kerberos auth (my configuration is archlinux as clients & server with authentication against a win2k AD); I assume that you already have configured the right credentials for all nfs/host.fqdn@REALM principals with des-cbc-crc enctype and all the others settings needed by NFS and kerberos in yours krb5.conf.
The problem (as far I can see) it's not about the patches but in the way the svcgssd daemon init the auth_context when linked against heimdal gssapi libs (my situation is similar to the one reported in this still open bug https://roundup.it.su.se/jira/browse/HEIMDAL-197).
In fact when my archlinux client tries to mount an exported filesystem with kerberos authentication the rpc.gssd correctly contact the rpc.svcgssd on the server side but then I always receive this error:
rpc.svcgssd[4462]: leaving poll
rpc.svcgssd[4462]: handling null request
rpc.svcgssd[4462]: WARNING: gss_accept_sec_context failed
rpc.svcgssd[4462]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Miscellaneous failure (see text) - Decrypt integrity check failed
rpc.svcgssd[4462]: sending null reply
rpc.svcgssd[4462]: writing message: \x \x608204ec06092a864886f71....
rpc.svcgssd[4462]: finished handling null request
rpc.svcgssd[4462]: entering pollSeems that rpc.svcgssd doesn't honor the default and allowed enctype des-cbc-crc specified on krb5.conf (options default_etypes - default_etypes_des - permitted_enctypes) and tries to decrypt with something different than des-cbc-crc.
I tried to hack the init_auth phase and add gss_krb5_set_allowable_enctypes() to limits the allowed enctypes but nothing changed on my arch server.
After that I tried with a debian machine as NFS server (without changing anything on my archlinux client) and everything has gone well.
In this moment I'm not using nfs with kerberos auth plus i'm evaluating glusterfs as an alternative solution to NFS for other reasons.
After that I will decide if to switch from heimdal to mit-krb5 on my servers (even if this requires me to rebuild others packages currently present in core and extra repos and depending on heimdal) or use a debian machine as nfs-server.
At this moment for my experiences the nfs4-utils package in archlinux doesn't allow to use the kerberos authentication (with heimdal).
bye
Offline