Bug 432906
Summary: | nfs v4 with kerberos - unable to get this working on solaris 10 x86 | ||
---|---|---|---|
Product: | [Retired] freeIPA | Reporter: | Chandrasekar Kannan <ckannan> |
Component: | ipa-server | Assignee: | Simo Sorce <ssorce> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 1.0 | CC: | benl, jlayton, kwc, mgregg, ssorce, yzhang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | freeipa-2.0.0-1.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 429034 |
Description
Chandrasekar Kannan
2008-02-15 01:37:37 UTC
We have tried a couple of things today. (1) I changed the keytab entries to not include host,nfs principals of the ipa-server on the client. Keytab only contains host,nfs principals with the des encryption stuff for the client on the client machine. mount from solaris x86 simply hangs at this point. I see this error on the ipa/nfs server. Mar 1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Unknown code krb5 230 (2) We tried to make the Solaris nfs client as the nfs server instead. and used another RHEL 5 client machine to mount /export from the Solaris nfs server using kerberos credentials. This works flawlessly. mount -v -t nfs4 -o sec=krb5 ipaqa13.dsqa.sjc2.redhat.com:/ /data (In reply to comment #0) > > Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: prepare_krb5_rfc_cfx_buffer: > not implemented This message indicates that something other than des-cbc-crc was negotiated as the session key. Are you sure the Linux server principal has only a des key in both the keytab and in the KDC's database? (i.e. you did not simply use ktutil to remove the keytab entries for other encryption types?) (In reply to comment #1) > We have tried a couple of things today. > > (1) I changed the keytab entries to not include host,nfs principals > of the ipa-server on the client. Keytab only contains host,nfs principals > with the des encryption stuff for the client on the client machine. > mount from solaris x86 simply hangs at this point. > > I see this error on the ipa/nfs server. > > Mar 1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code > may provide more information - Unknown code krb5 230 This error is KRB5_KT_KVNONOTFOUND (-1765328154L), which probably indicates that the Solaris client is using a cached service ticket obtained before you did a new ktadd for the linux server's principal? Try doing a kdestroy (or simply 'rm /tmp/krb5cc_0') as root on Solaris to force it to get a new TGT and service ticket to use for the mount. Thank for helping Kevin, we are going to test this with DES only keys on the linux side, In the initial tests the linux side had RC4 and AES keys as well. Will update as we get new evidence. Did the following: (1) kdestroy. removed krb cache file on solaris client. (2) kinit. (3) mount with nfsv4/krb5. Worked ok. bash-3.00# rm -f /tmp/krb5cc_0 bash-3.00# kdestroy kdestroy: Could not obtain principal name from cache kdestroy: No credentials cache file found while destroying cache kdestroy: TGT expire warning NOT deleted bash-3.00# bash-3.00# klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0) bash-3.00# bash-3.00# bash-3.00# bash-3.00# bash-3.00# ntpdate ipaqa09.dsqa.sjc2.redhat.com 1 Mar 06:32:41 ntpdate[4036]: step time server 10.14.0.123 offset 757.748378 sec bash-3.00# bash-3.00# bash-3.00# kinit admin Password for admin.REDHAT.COM: bash-3.00# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.REDHAT.COM Valid starting Expires Service principal 03/01/08 06:32:47 03/08/08 06:32:47 krbtgt/DSQA.SJC2.REDHAT.COM.REDHAT.COM renew until 03/15/08 07:32:47 bash-3.00# bash-3.00# bash-3.00# mount -F nfs -o vers=4 -o sec=krb5 ipaqa09.dsqa.sjc2.redhat.com:/ /data bash-3.00# bash-3.00# df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0d0s0 4413669 3308114 1061419 76% / /devices 0 0 0 0% /devices ctfs 0 0 0 0% /system/contract proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab swap 756896 912 755984 1% /etc/svc/volatile objfs 0 0 0 0% /system/object /usr/lib/libc/libc_hwcap1.so.1 4413669 3308114 1061419 76% /lib/libc.so.1 fd 0 0 0 0% /dev/fd swap 756036 52 755984 1% /tmp swap 756012 28 755984 1% /var/run /dev/dsk/c0d0s7 11518228 11441 11391605 1% /export/home /vol/dev/dsk/c1t0d0/sol_10_807_x86 2654470 2654470 0 100% /cdrom/sol_10_807_x86 ipaqa09.dsqa.sjc2.redhat.com:/ 14093368 2486836 10879084 19% /data works ok now. instructions posted on freeipa.org |