Bug 621238
Summary: | Cannot mount nfsv4 krb5. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrik Martinsson <martinsson.patrik> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | dpal, jplans |
Target Milestone: | rc | Keywords: | RHELNAK |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-04 17:02:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Patrik Martinsson
2010-08-04 15:07:05 UTC
This thread has kinda the same issue, it seems to work if he downgrades his krb. I tried that though, but without luck. I downgraded my krb-libs/krb5-workstation and gssdbp, but without success, but maybe there is some more packages involved..? http://www.spinics.net/lists/linux-nfs/msg12307.html This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** We're changing a few things between F10 and RHEL6 -- namely, the limitation of only being able to use DES should be gone, which is good because unless configured otherwise, the krb5 libraries won't advertise support for DES (though you already got that). (In reply to comment #0) > Description of problem: > Not really sure this is a bug of krb5, but i suspect so. I cant mount nfsv4 > with krb5, without the sec=krb5 option it works like a charm. > > Version-Release number of selected component (if applicable): > > krb5-libs-1.8.2-2.el6.x86_64 > krb5-workstation-1.8.2-2.el6.x86_64 > gssdp-0.7.1-1.el6.x86_64 The gssdp package isn't really involved here; the other key components are nfs-utils, nfs-utils-lib, libtirpc and the kernel. > How reproducible: > Always. > > Steps to Reproduce: > > # /etc/krb5.conf > [libdefaults] > default_realm = XX.XXXX.XX > clockskew = 300 > dns_lookup_realm = true > dns_lookup_kdc = true > default_tkt_enctypes = des-cbc-md5 > default_tgs_enctypes = des-cbc-md5 > forwardable = true > allow_weak_crypto = true Okay, setting allow_weak_crypto when configuring ticket types to just DES is necessary, though at this point setting default_tgs_enctypes and default_tkt_enctypes shouldn't be needed any more. > # Add nfs principle to keytab, there is already one entry (with diff > encryptions) so i'm not totally sure if this is needed. > net ads keytab add nfs -U xx%xx > This is nfs section before i issue the following command, > 2 08/04/10 16:32:03 nfs/client.xxxx.xx.XX (DES cbc mode with CRC-32) > 2 08/04/10 16:32:03 nfs/client.xxxx.xx.XX (DES cbc mode with RSA-MD5) Based on your krb5.conf file, which is configured to only use des-cbc-md5, this second one's the only one that should really be necessary. > # Now we have joined the machine (created a machineaccount), we got a keytab > that looks ok. Start the relevant services. > /etc/init.d/rpcbind start; /etc/init.d/rpcgssd start; /etc/init.d/rpcidmapd > start; /etc/init.d/nfs start > > # Issue mount command, > mount -t nfs4 -o sec=krb5 xx:/xx/xx/xx/ /nfstest/ -vvvvv > > # Output, > -- mount -- > mount: fstab path: "/etc/fstab" > mount: mtab path: "/etc/mtab" > mount: lock path: "/etc/mtab~" > mount: temp path: "/etc/mtab.tmp" > mount: spec: "xx:/xx/xx/xx/" > mount: node: "/nfstest/" > mount: types: "nfs4" > mount: opts: "sec=krb5" > mount: external mount: argv[0] = "/sbin/mount.nfs4" > mount: external mount: argv[1] = "xx:/xx/xx/xx/" > mount: external mount: argv[2] = "/nfstest/" > mount: external mount: argv[3] = "-v" > mount: external mount: argv[4] = "-o" > mount: external mount: argv[5] = "rw,sec=krb5" > mount.nfs4: timeout set for Wed Aug 4 16:24:41 2010 > mount.nfs4: text-based options: > 'sec=krb5,clientaddr=xx.xx.x.xx,addr=xxx.xx.xx.xx' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting xx:/xx/xx/xx/ > > -- /var/log/messages -- > Aug 4 14:45:09 client rpc.idmapd[4656]: New client: 13 > Aug 4 14:45:09 client rpc.idmapd[4656]: Opened > /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap > Aug 4 14:45:09 client rpc.idmapd[4656]: New client: 14 > Aug 4 14:45:09 client rpc.gssd[4635]: handling gssd upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnt13) > Aug 4 14:45:09 client rpc.gssd[4635]: handle_gssd_upcall: 'mech=krb5 uid=0 > enctypes=18,17,16,23,3,1,2 ' > Aug 4 14:45:09 client rpc.gssd[4635]: handling krb5 upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnt13) > Aug 4 14:45:09 client rpc.gssd[4635]: process_krb5_upcall: service is > '<null>' > Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'xx.xxxx.xx' is > 'xx.xx.xx' > Aug 4 14:45:09 client rpc.gssd[4635]: Full hostname for 'client.xxxx.xx' is > 'client.xxxx.xx' > Aug 4 14:45:09 client rpc.gssd[4635]: Key table entry not found while getting > keytab entry for ' root/client.xxxx.xx.XX' > Aug 4 14:45:09 client rpc.gssd[4635]: Success getting keytab entry for > 'nfs/client.xxxx.xx.XX' > Aug 4 14:45:09 client rpc.gssd[4635]: Successfully obtained machine > credentials for principal ' nfs/client.xxxx.xx.XX' stored in ccache > 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' > Aug 4 14:45:09 client rpc.gssd[4635]: INFO: Credentials in CC > 'FILE:/tmp/krb5cc_machine_XX.XXXX.XX' are good until 1280961909 > Aug 4 14:45:09 client rpc.gssd[4635]: using > FILE:/tmp/krb5cc_machine_XX.XXXX.XX as credentials cache for machine creds > Aug 4 14:45:09 client rpc.gssd[4635]: using environment variable to select > krb5 ccache FILE:/tmp/krb5cc_machine_XX.XXXX.XX > Aug 4 14:45:09 client rpc.gssd[4635]: creating context using fsuid 0 > (save_uid 0) > Aug 4 14:45:09 client rpc.gssd[4635]: creating tcp client for server > xx.xxxx.xx > Aug 4 14:45:09 client rpc.gssd[4635]: DEBUG: port already set to 2049 > Aug 4 14:45:09 client rpc.gssd[4635]: creating context with server > nfs.xx So far, so good. > Aug 4 14:45:09 client rpc.gssd[4635]: WARNING: Failed to create krb5 context > for user with uid 0 for server xx.xxxx.xx This sounds exactly like bug #613682, which looks to be fixed with the testing update from http://people.redhat.com/steved/.tmp/libtirpc-0.2.1-1.bz613682.el6.x86_64.rpm. Can you check if this has any effect in your case? > Additional info: > If i do the exact same steps on a Fedora 10 client this method works. > Is there something im missing ? That's actually a bit surprising -- I wouldn't tend to expect DES-only setups to work with one release but not with the other. First let's find out if it's the libtirpc problem. Updating that rpm solved the issue, mount works as a charm now... I've been at this for almost 2 days now, weird that i missed that bugreport. Thanks for the quick answer and a great job ! Best regards, Patrik Martinsson, Sweden. Glad it worked. I'll mark this as a duplicate, then. Thanks! *** This bug has been marked as a duplicate of bug 613682 *** |