432906 – nfs v4 with kerberos - unable to get this working on solaris 10 x86

Bug 432906 - nfs v4 with kerberos - unable to get this working on solaris 10 x86

Summary: nfs v4 with kerberos - unable to get this working on solaris 10 x86

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	1.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Simo Sorce
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	429034
TreeView+	depends on / blocked

Reported:	2008-02-15 01:37 UTC by Chandrasekar Kannan
Modified:	2015-01-04 23:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:	freeipa-2.0.0-1.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Chandrasekar Kannan 2008-02-15 01:37:37 UTC

NFS v4 with Kerberos fails from a solaris 10 x86 client
to an ipa server.

Following instructions from 
http://www.freeipa.com/page/ConfiguringUnixClients


Here's the keytab file that I use with the solaris 10 machine.

[root@ipaqa09 ~]# klist -ket /tmp/ipaqa13.keytab
Keytab name: FILE:/tmp/ipaqa13.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   4 02/15/08 09:37:41 host/ipaqa13.dsqa.sjc2.redhat.com.REDHAT.COM
(DES cbc mode with CRC-32)
   4 02/15/08 09:37:50 host/ipaqa09.dsqa.sjc2.redhat.com.REDHAT.COM
(DES cbc mode with CRC-32)
   2 02/15/08 09:38:00 nfs/ipaqa09.dsqa.sjc2.redhat.com.REDHAT.COM
(DES cbc mode with CRC-32)
   3 02/15/08 09:38:08 nfs/ipaqa13.dsqa.sjc2.redhat.com.REDHAT.COM
(DES cbc mode with CRC-32)
[root@ipaqa09 ~]#

Here's the NFS command I'm trying,

as root, mount -F nfs -o sec=krb5 ipaqa09.dsqa.sjc2.redhat.com:/export /data

mount returns permission denied.


my nss ldap settings are:

bash-3.00# cat /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ipaqa09.dsqa.sjc2.redhat.com
NS_LDAP_SEARCH_BASEDN= dc=dsqa,dc=sjc2,dc=redhat,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= sc_default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
cn=users,cn=accounts,dc=dsqa,dc=sjc2,dc=redhat,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= groups:
cn=groups,cn=accounts,dc=dsqa,dc=sjc2,dc=redhat,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
NS_LDAP_SERVICE_SEARCH_DESC= auto_automnt:
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:
NS_LDAP_BIND_TIME= 2
NS_LDAP_ATTRIBUTEMAP= automount:
NS_LDAP_ATTRIBUTEMAP= automount:
NS_LDAP_ATTRIBUTEMAP= automount:
NS_LDAP_OBJECTCLASSMAP= automount:
NS_LDAP_OBJECTCLASSMAP= automount:
bash-3.00# cat /var/ldap/ldap_client_cred
NS_LDAP_BINDDN=
uid=admin,cn=sysaccounts,cn=etc,dc=dsqa,dc=sjc2,dc=redhat,dc=com
NS_LDAP_BINDPASSWD= {crypt}eQyUElSQ8vRME
bash-3.00#                                                       


some logs from the ipa server:

Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: leaving poll
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: handling null request
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: readline: read 1236 chars into
buffer of size 2048: \x
\x6082026306092a864886f71201020201006e8202523082024ea003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a1161b14445351412e534a43322e5245444841542e434f4da22e302ca003020103a12530231b036e66731b1c697061716130392e647371612e736a63322e7265646861742e636f6da382010430820100a003020112a103020101a281f30481f0c24beb64c9c8c5ff7ac4cd7e7854681ecac9ee874901c9447a4249ae1d234cf204ee58ba7ced9a03813d8df7265ca99557182b8b3e92df4b28a18df1b29f...
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: in_handle:
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: length 0
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: in_tok:
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: length 615
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0000: 6082 0263 0609 2a86 4886
f712 0102 0201  `..c..*.H.......
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0010: 006e 8202 5230 8202 4ea0
0302 0105 a103  .n..R0..N.......
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0020: 0201 0ea2 0703 0500 2000
0000 a382 015d  ........ ......]
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0030: 6182 0159 3082 0155 a003
0201 05a1 161b  a..Y0..U........
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0040: 1444 5351 412e 534a 4332
2e52 4544 4841  .DSQA.SJC2.REDHA
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0050: 542e 434f 4da2 2e30 2ca0
0302 0103 a125  T.COM..0,......%
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0060: 3023 1b03 6e66 731b 1c69
7061 7161 3039  0#..nfs..ipaqa09
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0070: 2e64 7371 612e 736a 6332
2e72 6564 6861  .dsqa.sjc2.redha
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0080: 742e 636f 6da3 8201 0430
8201 00a0 0302  t.com....0......
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0090: 0112 a103 0201 01a2 81f3
0481 f0c2 4beb  ..............K.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00a0: 64c9 c8c5 ff7a c4cd 7e78
5468 1eca c9ee  d....z..~xTh....
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00b0: 8749 01c9 447a 4249 ae1d
234c f204 ee58  .I..DzBI..#L...X
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00c0: ba7c ed9a 0381 3d8d f726
5ca9 9557 182b  .|....=..&\..W.+
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00d0: 8b3e 92df 4b28 a18d f1b2
9fc6 9525 06d9  .>..K(.......%..
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00e0: bdff 66d7 cde7 695c 737b
fe0f 2f94 cf76  ..f...i\s{../..v
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   00f0: 51e2 a973 06be 995e 3573
6662 311f 8874  Q..s...^5sfb1..t
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0100: 904d 2482 dc40 69c6 d0f4
e8c6 7c93 eb9a  .M$..@i.....|...
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0110: d577 aa1c 5980 85dc 51c4
5ddf 1eca 32c6  .w..Y...Q.]...2.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0120: abf2 27e2 4cce 81d4 2d12
950c 5d04 8a21  ..'.L...-...]..!
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0130: af81 b6a0 8f4a 7c66 2ca3
13ca 94b7 f3bd  .....J|f,.......
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0140: 3461 88cd f08d aa1e a54c
8f25 0536 289c  4a.......L.%.6(.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0150: b1c9 365a a898 a6ca 3478
ead7 1ded aa26  ..6Z....4x.....&
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0160: 44ea 070e cafb b6df 99fd
6981 e5b0 8c2f  D.........i..../
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0170: 72cc d58b bf2f 0381 b414
6e67 0e52 083d  r..../....ng.R.=
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0180: 210d 56f6 9a22 8df1 adb9
529a 13a4 81d7  !.V.."....R.....
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0190: 3081 d4a0 0302 0112 a281
cc04 81c9 52aa  0.............R.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01a0: 4527 b327 0752 c2a8 27e9
5a5d 6c44 2b79  E'.'.R..'.Z]lD+y
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01b0: 3c09 165d 986d eb49 86fc
ab5b 692c 9393  <..].m.I...[i,..
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01c0: dea9 2026 a124 6775 e88b
0ee0 d213 48fa  .. &.$gu......H.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01d0: e7d3 e917 54e5 24da b0f5
3ebe 1f4e 5317  ....T.$...>..NS.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01e0: cf40 aa51 dc8b 53de 448c
ac08 8350 a34c  .@.Q..S.D....P.L
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   01f0: 29c9 5bcb 195f 3830 f0df
ecd6 5f9e 5a30  ).[.._80...._.Z0
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0200: f555 9c03 cb7d 7637 9d10
465c 4b24 baef  .U...}v7..F\K$..
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0210: 4e31 22ae 19fb 8528 6518
f795 f72d ac21  N1"....(e....-.!
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0220: a1dd 37e1 bd31 97b4 a385
f12d b81b 6493  ..7..1.....-..d.
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0230: 754c 3856 aece a0e8 7658
4854 d01d e5cb  uL8V....vXHT....
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0240: da81 7f41 cdae 5150 ed2a
44df 0d76 9185  ...A..QP.*D..v..
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0250: 408f 8840 4bdf 518e 760c
5815 3991 7757  @..@K.Q.v.X.9.wW
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]:   0260: 3a8a 79d1 3e35 5c
:.y.>5\
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: sname = admin.REDHAT.COM
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: DEBUG: serialize_krb5_ctx: lucid
version!
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: prepare_krb5_rfc_cfx_buffer:
not implemented
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: serialize_krb5_ctx:
prepare_krb5_*_buffer failed (retcode = -1)
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: failed serializing krb5
context for kernel
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: WARNING: handle_nullreq:
serialize_context_for_kernel failed
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: sending null reply
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: writing message: \x
\x6082026306092a864886f71201020201006e8202523082024ea003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a1161b14445351412e534a43322e5245444841542e434f4da22e302ca003020103a12530231b036e66731b1c697061716130392e647371612e736a63322e7265646861742e636f6da382010430820100a003020112a103020101a281f30481f0c24beb64c9c8c5ff7ac4cd7e7854681ecac9ee874901c9447a4249ae1d234cf204ee58ba7ced9a03813d8df7265ca99557182b8b3e92df4b28a18df1b29fc6952506d9bdff66d7cde7695c737bfe0f2...
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: finished handling null request
Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: entering poll

Comment 1 Chandrasekar Kannan 2008-02-27 16:37:52 UTC

We have tried a couple of things today.

(1) I changed the keytab entries to not include host,nfs principals
    of the ipa-server on the client. Keytab only contains host,nfs principals
    with the des encryption stuff for the client on the client machine.
    mount from solaris x86 simply hangs at this point.

I see this error on the ipa/nfs server.

Mar  1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.  Minor code
may provide more information - Unknown code krb5 230

(2) We tried to make the Solaris nfs client as the nfs server instead. and used
    another RHEL 5 client machine to mount /export from the Solaris nfs server
    using kerberos credentials.
    This works flawlessly. 
     mount -v -t nfs4 -o sec=krb5 ipaqa13.dsqa.sjc2.redhat.com:/ /data

Comment 2 Kevin Coffman 2008-02-27 20:51:34 UTC

(In reply to comment #0)
> 
> Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: prepare_krb5_rfc_cfx_buffer:
> not implemented

This message indicates that something other than des-cbc-crc was negotiated
as the session key.  Are you sure the Linux server principal has only a des
key in both the keytab and in the KDC's database?  (i.e. you did not simply
use ktutil to remove the keytab entries for other encryption types?)

Comment 3 Kevin Coffman 2008-02-27 21:00:55 UTC

(In reply to comment #1)
> We have tried a couple of things today.
> 
> (1) I changed the keytab entries to not include host,nfs principals
>     of the ipa-server on the client. Keytab only contains host,nfs principals
>     with the des encryption stuff for the client on the client machine.
>     mount from solaris x86 simply hangs at this point.
> 
> I see this error on the ipa/nfs server.
> 
> Mar  1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.  Minor code
> may provide more information - Unknown code krb5 230

This error is KRB5_KT_KVNONOTFOUND (-1765328154L), which probably indicates
that the Solaris client is using a cached service ticket obtained before
you did a new ktadd for the linux server's principal?

Try doing a kdestroy (or simply 'rm /tmp/krb5cc_0') as root on Solaris to
force it to get a new TGT and service ticket to use for the mount.

Comment 4 Simo Sorce 2008-02-27 21:13:34 UTC

Thank for helping Kevin,
we are going to test this with DES only keys on the linux side, In the initial
tests the linux side had RC4 and AES keys as well.
Will update as we get new evidence.

Comment 5 Chandrasekar Kannan 2008-02-27 21:48:02 UTC

Did the following:
(1) kdestroy. removed krb cache file on solaris client.
(2) kinit. 
(3) mount with nfsv4/krb5. Worked ok. 

bash-3.00# rm -f /tmp/krb5cc_0
bash-3.00# kdestroy
kdestroy: Could not obtain principal name from cache
kdestroy: No credentials cache file found while destroying cache
kdestroy: TGT expire warning NOT deleted
bash-3.00#
bash-3.00# klist
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)
bash-3.00#
bash-3.00#
bash-3.00#
bash-3.00#
bash-3.00# ntpdate ipaqa09.dsqa.sjc2.redhat.com
 1 Mar 06:32:41 ntpdate[4036]: step time server 10.14.0.123 offset 757.748378 sec
bash-3.00#
bash-3.00#
bash-3.00# kinit admin
Password for admin.REDHAT.COM:
bash-3.00# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.REDHAT.COM

Valid starting                Expires                Service principal
03/01/08 06:32:47  03/08/08 06:32:47 
krbtgt/DSQA.SJC2.REDHAT.COM.REDHAT.COM
        renew until 03/15/08 07:32:47
bash-3.00#
bash-3.00#
bash-3.00# mount -F nfs -o vers=4 -o sec=krb5 ipaqa09.dsqa.sjc2.redhat.com:/ /data

bash-3.00#
bash-3.00# df -k
Filesystem            kbytes    used   avail capacity  Mounted on
/dev/dsk/c0d0s0      4413669 3308114 1061419    76%    /
/devices                   0       0       0     0%    /devices
ctfs                       0       0       0     0%    /system/contract
proc                       0       0       0     0%    /proc
mnttab                     0       0       0     0%    /etc/mnttab
swap                  756896     912  755984     1%    /etc/svc/volatile
objfs                      0       0       0     0%    /system/object
/usr/lib/libc/libc_hwcap1.so.1
                     4413669 3308114 1061419    76%    /lib/libc.so.1
fd                         0       0       0     0%    /dev/fd
swap                  756036      52  755984     1%    /tmp
swap                  756012      28  755984     1%    /var/run
/dev/dsk/c0d0s7      11518228   11441 11391605     1%    /export/home
/vol/dev/dsk/c1t0d0/sol_10_807_x86
                     2654470 2654470       0   100%    /cdrom/sol_10_807_x86
ipaqa09.dsqa.sjc2.redhat.com:/
                     14093368 2486836 10879084    19%    /data

Comment 6 Chandrasekar Kannan 2008-04-04 12:43:30 UTC

works ok now. 
instructions posted on freeipa.org

Note You need to log in before you can comment on or make changes to this bug.