Bug 218992 - Unable to access NFS4/KRB5
Unable to access NFS4/KRB5
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nfs-utils (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Ben Levenson
:
Depends On: 218720
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-08 17:25 EST by Matthew Booth
Modified: 2010-09-20 07:04 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-20 07:04:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Matthew Booth 2006-12-08 17:25:29 EST
+++ This bug was initially created as a clone of Bug #218720 +++

Verified the bug on RHEL 5 Beta 2.

Description of problem:
I have a working kerberized NFS4 setup. Server is RHEL 4 with updated packages:
krb5-libs-1.5-3
nfs-utils-lib-1.0.8-7.2
nfs-utils-1.0.9-5

Exports are:
/var/lib/nfs4          
gss/krb5(rw,fsid=0,insecure,no_subtree_check,sync,anonuid=65534,anongid=65534)
/var/lib/nfs4/video    
gss/krb5(ro,nohide,insecure,no_subtree_check,sync,anonuid=65534,anongid=65534)
/var/lib/nfs4/photos   
gss/krb5(rw,nohide,insecure,no_subtree_check,sync,anonuid=65534,anongid=65534)

I regularly access this from another RHEL 4 box with similarly updated packages.
I'm trying to access it from FC6.

I mount the fs with:
mount -t nfs4 -o sec=krb5,fstype=nfs4,hard,intr gideon.revolutionwall.net:/ /mnt/
This succeeds. As a regular user, I kinit and try to access the mount:
[mbooth@mbooth ~]$ ls -l /mnt 
ls: /mnt/photos: No such file or directory
ls: /mnt/video: No such file or directory
total 16
drwxrwsr-x 157 root vol 8192 Nov 30 19:41 photos
drwxrws---   7 root vol 4096 Oct 23 22:22 video

I see the following in /var/log/messages:
net/sunrpc/rpc_pipe.c: rpc_lookup_parent failed t
o find path /nfs/clnt11/krb5

If I run rpc.gssd on the client manually with -f -vvvvvvvrrrrrrrrr, on mount I
also see the error message:
Warning: rpc.gssd appears not to be running.

If I start rpcgssd with service rpcgssd start, I do not see this message.
Nevertheless, in both cases it is most certainly running.

SELinux is completely disabled.

Version-Release number of selected component (if applicable):
nfs-utils-1.0.10-4.fc6
kernel-2.6.18-1.2849.fc6
Comment 1 Matthew Booth 2006-12-14 08:33:19 EST
José Plans did some debugging on this. I did the following:

echo 65535 > /proc/sys/sunrpc/nfs_debug
echo 32767 > /proc/sys/sunrpc/rpc_debug

and tried to access the mount again. There was a great deal of output, but José
mentioned the following as being particularly significant:

Dec 14 10:41:24 mbooth kernel: RPC:      creating GSS authenticator for client
dd4a6e00
Dec 14 10:41:24 mbooth kernel: net/sunrpc/rpc_pipe.c: rpc_lookup_parent failed
to find path /nfs/clnt4/krb5
Dec 14 10:41:24 mbooth kernel: nfs_init_server_rpcclient: couldn't create credcache!
Comment 2 Steve Dickson 2006-12-21 10:34:19 EST
There is a know problem with the RHEL4 svcgssd daemon... please 
try RHEL5 to RHEL5... something I was able to get working... 
Comment 3 Matthew Booth 2006-12-22 19:48:24 EST
Note that although the server is mostly RHEL 4, I upgraded everything nfs and
kerberos related to get this working. nfs-utils on the server is
nfs-utils-1.0.9-5. On my RHEL 5 laptop it's nfs-utils-1.0.9-10. Also note that
this is a working configuration. I access this server regularly.

José Plans suggested this might be related to available ciphers in the kernel.
Is that a possibility?

Unfortunately I don't have spare hardware to test a RHEL5 server.
Comment 4 Steve Dickson 2006-12-22 20:12:55 EST
yes... the only cipher that is supported is DES... so can I close this bug?
Comment 5 Matthew Booth 2006-12-23 12:38:10 EST
Not really, as this would be a regression. I'm still using a standard RHEL 4 kernel.
Comment 6 Steve Dickson 2007-01-04 20:59:10 EST
This should be fixed in nfs-utils-1.0.6-76
Comment 7 Matthew Booth 2007-01-08 18:28:00 EST
Steve,

nfs-utils on the RHEL 4 server is nfs-utils-1.0.9-5. nfs-utils on the RHEL 5
client is nfs-utils-1.0.9-10.el5.i386. These are both higher than
nfs-utils-1.0.6-76.

Is it nfs-utils or the kernel which doesn't support the required ciphers?
Comment 8 Steve Dickson 2007-01-09 09:25:04 EST
oops... Please disreguard Comment #7 since nfs-utils-1.0.6-76 is the rhel4
nfs-utils...
which does fix a problem with secure mounts...

> nfs-utils on the RHEL 4 server is nfs-utils-1.0.9-5....
no... that more of a early RHEL5 or FC-6 version...

Note, using nfs-utils-1.0.6-76 on the RHEL4 and nfs-utils-1.0.9-16.el5
on the RHEL5 side, I was able to get secure mounts working...
Comment 9 Steve Dickson 2010-09-20 07:04:35 EDT
I'm going close this since I am able to get secure mounts working
in the latest RHEL5 update.

Note You need to log in before you can comment on or make changes to this bug.