NFS v4 with Kerberos fails from a solaris 10 x86 client to an ipa server. Following instructions from http://www.freeipa.com/page/ConfiguringUnixClients Here's the keytab file that I use with the solaris 10 machine. [root@ipaqa09 ~]# klist -ket /tmp/ipaqa13.keytab Keytab name: FILE:/tmp/ipaqa13.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 4 02/15/08 09:37:41 host/ipaqa13.dsqa.sjc2.redhat.com.REDHAT.COM (DES cbc mode with CRC-32) 4 02/15/08 09:37:50 host/ipaqa09.dsqa.sjc2.redhat.com.REDHAT.COM (DES cbc mode with CRC-32) 2 02/15/08 09:38:00 nfs/ipaqa09.dsqa.sjc2.redhat.com.REDHAT.COM (DES cbc mode with CRC-32) 3 02/15/08 09:38:08 nfs/ipaqa13.dsqa.sjc2.redhat.com.REDHAT.COM (DES cbc mode with CRC-32) [root@ipaqa09 ~]# Here's the NFS command I'm trying, as root, mount -F nfs -o sec=krb5 ipaqa09.dsqa.sjc2.redhat.com:/export /data mount returns permission denied. my nss ldap settings are: bash-3.00# cat /var/ldap/ldap_client_file NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= ipaqa09.dsqa.sjc2.redhat.com NS_LDAP_SEARCH_BASEDN= dc=dsqa,dc=sjc2,dc=redhat,dc=com NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 43200 NS_LDAP_PROFILE= sc_default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: cn=users,cn=accounts,dc=dsqa,dc=sjc2,dc=redhat,dc=com NS_LDAP_SERVICE_SEARCH_DESC= groups: cn=groups,cn=accounts,dc=dsqa,dc=sjc2,dc=redhat,dc=com NS_LDAP_SERVICE_SEARCH_DESC= shadow: dc=example,dc=com?sub NS_LDAP_SERVICE_SEARCH_DESC= netgroup: dc=example,dc=com?sub NS_LDAP_SERVICE_SEARCH_DESC= auto_master: NS_LDAP_SERVICE_SEARCH_DESC= auto_automnt: NS_LDAP_SERVICE_SEARCH_DESC= sudoers: NS_LDAP_BIND_TIME= 2 NS_LDAP_ATTRIBUTEMAP= automount: NS_LDAP_ATTRIBUTEMAP= automount: NS_LDAP_ATTRIBUTEMAP= automount: NS_LDAP_OBJECTCLASSMAP= automount: NS_LDAP_OBJECTCLASSMAP= automount: bash-3.00# cat /var/ldap/ldap_client_cred NS_LDAP_BINDDN= uid=admin,cn=sysaccounts,cn=etc,dc=dsqa,dc=sjc2,dc=redhat,dc=com NS_LDAP_BINDPASSWD= {crypt}eQyUElSQ8vRME bash-3.00# some logs from the ipa server: Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: leaving poll Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: handling null request Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: readline: read 1236 chars into buffer of size 2048: \x \x6082026306092a864886f71201020201006e8202523082024ea003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a1161b14445351412e534a43322e5245444841542e434f4da22e302ca003020103a12530231b036e66731b1c697061716130392e647371612e736a63322e7265646861742e636f6da382010430820100a003020112a103020101a281f30481f0c24beb64c9c8c5ff7ac4cd7e7854681ecac9ee874901c9447a4249ae1d234cf204ee58ba7ced9a03813d8df7265ca99557182b8b3e92df4b28a18df1b29f... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: in_handle: Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: length 0 Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: in_tok: Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: length 615 Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0000: 6082 0263 0609 2a86 4886 f712 0102 0201 `..c..*.H....... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0010: 006e 8202 5230 8202 4ea0 0302 0105 a103 .n..R0..N....... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0020: 0201 0ea2 0703 0500 2000 0000 a382 015d ........ ......] Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0030: 6182 0159 3082 0155 a003 0201 05a1 161b a..Y0..U........ Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0040: 1444 5351 412e 534a 4332 2e52 4544 4841 .DSQA.SJC2.REDHA Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0050: 542e 434f 4da2 2e30 2ca0 0302 0103 a125 T.COM..0,......% Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0060: 3023 1b03 6e66 731b 1c69 7061 7161 3039 0#..nfs..ipaqa09 Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0070: 2e64 7371 612e 736a 6332 2e72 6564 6861 .dsqa.sjc2.redha Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0080: 742e 636f 6da3 8201 0430 8201 00a0 0302 t.com....0...... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0090: 0112 a103 0201 01a2 81f3 0481 f0c2 4beb ..............K. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00a0: 64c9 c8c5 ff7a c4cd 7e78 5468 1eca c9ee d....z..~xTh.... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00b0: 8749 01c9 447a 4249 ae1d 234c f204 ee58 .I..DzBI..#L...X Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00c0: ba7c ed9a 0381 3d8d f726 5ca9 9557 182b .|....=..&\..W.+ Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00d0: 8b3e 92df 4b28 a18d f1b2 9fc6 9525 06d9 .>..K(.......%.. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00e0: bdff 66d7 cde7 695c 737b fe0f 2f94 cf76 ..f...i\s{../..v Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 00f0: 51e2 a973 06be 995e 3573 6662 311f 8874 Q..s...^5sfb1..t Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0100: 904d 2482 dc40 69c6 d0f4 e8c6 7c93 eb9a .M$..@i.....|... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0110: d577 aa1c 5980 85dc 51c4 5ddf 1eca 32c6 .w..Y...Q.]...2. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0120: abf2 27e2 4cce 81d4 2d12 950c 5d04 8a21 ..'.L...-...]..! Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0130: af81 b6a0 8f4a 7c66 2ca3 13ca 94b7 f3bd .....J|f,....... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0140: 3461 88cd f08d aa1e a54c 8f25 0536 289c 4a.......L.%.6(. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0150: b1c9 365a a898 a6ca 3478 ead7 1ded aa26 ..6Z....4x.....& Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0160: 44ea 070e cafb b6df 99fd 6981 e5b0 8c2f D.........i..../ Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0170: 72cc d58b bf2f 0381 b414 6e67 0e52 083d r..../....ng.R.= Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0180: 210d 56f6 9a22 8df1 adb9 529a 13a4 81d7 !.V.."....R..... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0190: 3081 d4a0 0302 0112 a281 cc04 81c9 52aa 0.............R. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01a0: 4527 b327 0752 c2a8 27e9 5a5d 6c44 2b79 E'.'.R..'.Z]lD+y Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01b0: 3c09 165d 986d eb49 86fc ab5b 692c 9393 <..].m.I...[i,.. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01c0: dea9 2026 a124 6775 e88b 0ee0 d213 48fa .. &.$gu......H. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01d0: e7d3 e917 54e5 24da b0f5 3ebe 1f4e 5317 ....T.$...>..NS. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01e0: cf40 aa51 dc8b 53de 448c ac08 8350 a34c .@.Q..S.D....P.L Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 01f0: 29c9 5bcb 195f 3830 f0df ecd6 5f9e 5a30 ).[.._80...._.Z0 Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0200: f555 9c03 cb7d 7637 9d10 465c 4b24 baef .U...}v7..F\K$.. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0210: 4e31 22ae 19fb 8528 6518 f795 f72d ac21 N1"....(e....-.! Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0220: a1dd 37e1 bd31 97b4 a385 f12d b81b 6493 ..7..1.....-..d. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0230: 754c 3856 aece a0e8 7658 4854 d01d e5cb uL8V....vXHT.... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0240: da81 7f41 cdae 5150 ed2a 44df 0d76 9185 ...A..QP.*D..v.. Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0250: 408f 8840 4bdf 518e 760c 5815 3991 7757 @..@K.Q.v.X.9.wW Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: 0260: 3a8a 79d1 3e35 5c :.y.>5\ Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: sname = admin.REDHAT.COM Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: DEBUG: serialize_krb5_ctx: lucid version! Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: serialize_krb5_ctx: prepare_krb5_*_buffer failed (retcode = -1) Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: failed serializing krb5 context for kernel Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: WARNING: handle_nullreq: serialize_context_for_kernel failed Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: sending null reply Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: writing message: \x \x6082026306092a864886f71201020201006e8202523082024ea003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a1161b14445351412e534a43322e5245444841542e434f4da22e302ca003020103a12530231b036e66731b1c697061716130392e647371612e736a63322e7265646861742e636f6da382010430820100a003020112a103020101a281f30481f0c24beb64c9c8c5ff7ac4cd7e7854681ecac9ee874901c9447a4249ae1d234cf204ee58ba7ced9a03813d8df7265ca99557182b8b3e92df4b28a18df1b29fc6952506d9bdff66d7cde7695c737bfe0f2... Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: finished handling null request Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: entering poll
We have tried a couple of things today. (1) I changed the keytab entries to not include host,nfs principals of the ipa-server on the client. Keytab only contains host,nfs principals with the des encryption stuff for the client on the client machine. mount from solaris x86 simply hangs at this point. I see this error on the ipa/nfs server. Mar 1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Unknown code krb5 230 (2) We tried to make the Solaris nfs client as the nfs server instead. and used another RHEL 5 client machine to mount /export from the Solaris nfs server using kerberos credentials. This works flawlessly. mount -v -t nfs4 -o sec=krb5 ipaqa13.dsqa.sjc2.redhat.com:/ /data
(In reply to comment #0) > > Feb 15 09:02:33 ipaqa09 rpc.svcgssd[3366]: ERROR: prepare_krb5_rfc_cfx_buffer: > not implemented This message indicates that something other than des-cbc-crc was negotiated as the session key. Are you sure the Linux server principal has only a des key in both the keytab and in the KDC's database? (i.e. you did not simply use ktutil to remove the keytab entries for other encryption types?)
(In reply to comment #1) > We have tried a couple of things today. > > (1) I changed the keytab entries to not include host,nfs principals > of the ipa-server on the client. Keytab only contains host,nfs principals > with the des encryption stuff for the client on the client machine. > mount from solaris x86 simply hangs at this point. > > I see this error on the ipa/nfs server. > > Mar 1 00:42:13 ipaqa09 rpc.svcgssd[3366]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code > may provide more information - Unknown code krb5 230 This error is KRB5_KT_KVNONOTFOUND (-1765328154L), which probably indicates that the Solaris client is using a cached service ticket obtained before you did a new ktadd for the linux server's principal? Try doing a kdestroy (or simply 'rm /tmp/krb5cc_0') as root on Solaris to force it to get a new TGT and service ticket to use for the mount.
Thank for helping Kevin, we are going to test this with DES only keys on the linux side, In the initial tests the linux side had RC4 and AES keys as well. Will update as we get new evidence.
Did the following: (1) kdestroy. removed krb cache file on solaris client. (2) kinit. (3) mount with nfsv4/krb5. Worked ok. bash-3.00# rm -f /tmp/krb5cc_0 bash-3.00# kdestroy kdestroy: Could not obtain principal name from cache kdestroy: No credentials cache file found while destroying cache kdestroy: TGT expire warning NOT deleted bash-3.00# bash-3.00# klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0) bash-3.00# bash-3.00# bash-3.00# bash-3.00# bash-3.00# ntpdate ipaqa09.dsqa.sjc2.redhat.com 1 Mar 06:32:41 ntpdate[4036]: step time server 10.14.0.123 offset 757.748378 sec bash-3.00# bash-3.00# bash-3.00# kinit admin Password for admin.REDHAT.COM: bash-3.00# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin.REDHAT.COM Valid starting Expires Service principal 03/01/08 06:32:47 03/08/08 06:32:47 krbtgt/DSQA.SJC2.REDHAT.COM.REDHAT.COM renew until 03/15/08 07:32:47 bash-3.00# bash-3.00# bash-3.00# mount -F nfs -o vers=4 -o sec=krb5 ipaqa09.dsqa.sjc2.redhat.com:/ /data bash-3.00# bash-3.00# df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0d0s0 4413669 3308114 1061419 76% / /devices 0 0 0 0% /devices ctfs 0 0 0 0% /system/contract proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab swap 756896 912 755984 1% /etc/svc/volatile objfs 0 0 0 0% /system/object /usr/lib/libc/libc_hwcap1.so.1 4413669 3308114 1061419 76% /lib/libc.so.1 fd 0 0 0 0% /dev/fd swap 756036 52 755984 1% /tmp swap 756012 28 755984 1% /var/run /dev/dsk/c0d0s7 11518228 11441 11391605 1% /export/home /vol/dev/dsk/c1t0d0/sol_10_807_x86 2654470 2654470 0 100% /cdrom/sol_10_807_x86 ipaqa09.dsqa.sjc2.redhat.com:/ 14093368 2486836 10879084 19% /data
works ok now. instructions posted on freeipa.org