Red Hat Bugzilla – Bug 197504
nfs4 AUTH_GSSAPI server returning EACCESS on all mount attempts
Last modified: 2014-06-18 03:35:21 EDT
Description of problem:
Yesterday, I updated my main NFS server to these package revisions:
Afterward, I was unable to mount any filesystems via NFS4. All mount attempts
failed with an EPERM. The server showed a similar warning to this with each
Jul 3 08:01:25 salusa rpc.svcgssd: WARNING: get_ids: unable to map name
'nfs/client.domain.net@DOMAIN.NET' to a uid
...downrevving to these packages:
...made the problem go away. I'm opening this as an nfs-utils bug, but it may
actually be a problem with one of the other library packages.
Sorry, I need to clarify. AUTH_UNIX seems to work fine, but with these updated
packages on the server, mounting with AUTH_GSSAPI consistently fails:
If I export with this on the server:
...and then mount like this on the client:
mount -t nfs4 -o rsize=32768,wsize=32768,noatime xenguest:/ /mnt/test
...it mounts correctly. But if I mount using sec=krb5:
mount -t nfs4 -o sec=krb5,rsize=32768,wsize=32768,noatime xenguest:/ /mnt/test
then I get:
mount: block device xenguest:/ is write-protected, mounting read-only
mount: cannot mount block device xenguest:/ read-only
mount("xenguest:/", "/mnt/test", "nfs4", MS_MGC_VAL|MS_NOATIME, "\1") = -1
EACCES (Permission denied)
mount("xenguest:/", "/mnt/test", "nfs4", MS_MGC_VAL|MS_RDONLY|MS_NOATIME, "\1")
= -1 EACCES (Permission denied)
I'll see if I can get some wire captures as well...
Actually need to clarify again, I'm exporting this way:
Created attachment 132033 [details]
temporary patch to fix problem
This patch was posted to the nfs4 mailing list 3 days ago. It seems to correct
the problem. It was posted as a temporary fix, but I think the permanent fix
may be similar (though perhaps with different uid/gid hardcoded values).
Created attachment 132035 [details]
A patch was posted to the nfs4 list today to correct the values in the first
though there seems to have been an intermediate patch between the first one I
posted and that one that I've been unable to locate. In any case, I'm fairly
sure that this patch should reflect the current state of this part of get_ids.
It fixes the problem on my test rig as well.
changing to devel since problem exists in that package as well
Looks like this patch is incorporated in 1.0.9, so rebasing on that might be a
better way to go.
In my home FC5 machines the problem wemt away by building a 1.0.9 rpm.
fixed in nfs-utils-1.0.9-3