[Bug 614293] New: NFS with kerberos identification isn't working
http://bugzilla.novell.com/show_bug.cgi?id=614293 http://bugzilla.novell.com/show_bug.cgi?id=614293#c0 Summary: NFS with kerberos identification isn't working Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mcaj@novell.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=369189) --> (http://bugzilla.novell.com/attachment.cgi?id=369189) strace logs User-Agent: Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9 Hi, NFS client with kerberos identification (-o sec=krb5i or -o sec=krb5p) isn't working on OpenSuse 11.3 Milestone 7. Normal nfs mount without kerberos ticket (-o default) is working. In the KDC server log file, I can see request and answer for the nfs ticket as any other workstation (- no error/warning messages) I tested it on i686 and x86-64 CPU with same result. BTW: NFS client in YaST2 is broken too, but bug was already reported I'm from Suse (Prague) If you need help with testing Debuging the problem I can help you - just ping me on Novell IM. Martin Reproducible: Always Steps to Reproduce: 1.Install OpenSuse 11.3 M7, setup ldap and kdc client (check if login on machine is working) disable firewall 2. don't use YaST for NFS client - is broken! 3. enable gss in /etc/sysconfig/nfs, download yours /etc/krb5.keytab from kdc server, add nfs mount into /etc/fstab e.g.: nfsserver:/home /nfs nfs sec=krb5i,intr,rw 4. reboot machines 5. run nfs mount e.g.: "mount nfsserver:/home /nfs -t nfs -o sec=krb5i,intr,rw Actual Results: error messages: "mount.nfs: access denied by server while mounting nfs.suse.cz:/home" Expected Results: mount.nfs should successfully mount /nfs. I add strace logs file. I hope It helps you with debug and fix the problem. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c
Vinayak Hegde
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c1
Neil Brown
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c3
mMrtin Caj
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c5
Di Pe
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c
Suresh Jayaraman
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c6
Martin Walter
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c7
Suresh Jayaraman
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c8
Martin Walter
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c9
--- Comment #9 from mMrtin Caj
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c10
--- Comment #10 from mMrtin Caj
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c11
Suresh Jayaraman
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c12
--- Comment #12 from Suresh Jayaraman
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c13
Suresh Jayaraman
http://bugzilla.novell.com/show_bug.cgi?id=614293
http://bugzilla.novell.com/show_bug.cgi?id=614293#c15
Martin Vidner
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c16
Suresh Jayaraman
Hello,
We are working on a problem here what is getting bigger. I will explain.
Our clients are using SLED 11. If they upgrade to sp1, they get a newer nfs client.
Client before update : nfs-client-1.1.3-18.17 Client after update : nfs-client-1.2.1-2.6.6
We are using krb5 authentication with an active directory. The nfs mount we are trying to make is on a netapp nashead.
The scenario is as followes. The client works as expected. When you ONLY upgrade the nfsclient package, we get an error :
Have you filed a SELD bug? Right off hand it looks like 599511589ca7ddb3b2eac8d3aa5b0b38be7a7691 in upstream libtirpc. --b.
mount /mnt/nfs/ mount.nfs4: access denied by server while mounting srvxxx:/vol/vol1/target
I have enabled logging on the rpcgssd :
Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: Full hostname for 'srvxxx.domain.net' is 'srvxxx.domain.net' Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: Full hostname for 'server.domain.net' is 'server.domain.net' Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: Key table entry not found while getting keytab entry for 'root /server.domain.net@DOMAIN.NET' Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: Success getting keytab entry for 'nfs/server.domain.net@DOMAIN.NET' Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: Successfully obtained machine credentials for principal 'nfs/server.domain.net@DOMAIN.NET' stored in ccache 'FILE:/tmp/krb5cc_machine_DOMAIN.NET' Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAIN.NET' are good until 1283300229 Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: using FILE:/tmp/krb5cc_machine_DOMAIN.NET as credentials cache for machine creds Aug 31 16:17:09 vmlinux12 rpc.gssd[14072]: using environment variable to select krb5 ccache FILE:/tmp/krb 5cc_machine_DOMAIN.NET
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c17
Michael Lanczak
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c18
--- Comment #18 from Di Pe
Olaf: pdb.suse.de suggests that you are the maintainer of libtirpc. Could you please review and take the attached patch in Comment#12?
Suresh, Olaf. This patch works well. I also needed to install librpcsecgss to make it work. When will we see an official patch? Until then we will have to really watch our patching process to avoid that a working rpc.gssd is overwritten with a bogus one which would lock everyone out. Thanks dipe -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c19
--- Comment #19 from Olaf Kirch
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c20
--- Comment #20 from Martin Walter
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c21
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c22
--- Comment #22 from Martin Walter
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c23
Michal Svec
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c24
--- Comment #24 from Martin Walter
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c25
--- Comment #25 from Michal Svec
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c26
--- Comment #26 from Martin Walter
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c27
Richard Smits
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c28
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c
zj jia
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c29
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c30
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c31
--- Comment #31 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c32
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c33
--- Comment #33 from Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c34
--- Comment #34 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c35
--- Comment #35 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c36
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c37
--- Comment #37 from Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c38
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c39
--- Comment #39 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c40
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c41
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c42
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c43
--- Comment #43 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c44
--- Comment #44 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c45
--- Comment #45 from Neil Brown
1. "allow_weak_crypto = true" on the server does not solve crypto the problem... It has no influence at all.
Thanks.
2. Can I send you the tcpdumps via email? As the data should not become public?
Sure - nfbrown@novell.com - but you can see that I expect. I'll keep them confidential. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c46
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c47
--- Comment #47 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c48
Neil Brown
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c49
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c50
Neil Brown
participants (1)
-
bugzilla_noreply@novell.com