From owner-freebsd-stable@FreeBSD.ORG Thu Jun 28 14:25:27 2012 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9B1D106566C for ; Thu, 28 Jun 2012 14:25:27 +0000 (UTC) (envelope-from freebsdml@ist.tugraz.at) Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by mx1.freebsd.org (Postfix) with ESMTP id 3215E8FC0C for ; Thu, 28 Jun 2012 14:25:26 +0000 (UTC) Received: from ist.tugraz.at (proxy-music.ist.tu-graz.ac.at [129.27.202.111]) (authenticated bits=0) by mailrelay2.tugraz.at (8.14.4/8.14.4) with ESMTP id q5SEPHQJ008372 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 28 Jun 2012 16:25:17 +0200 (CEST) X-DKIM: Sendmail DKIM Filter v2.8.3 mailrelay2.tugraz.at q5SEPHQJ008372 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1340893518; i=@ist.tugraz.at; bh=a64zide7STTveHfhwdYxRkmoZVNqTrYMNRSKrmN6AQ0=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=ui/+qAOy/DhTQq4vPD/T0r3hoSl759z2yOBQVzt3r1L1hWf+CN3ZxGwWTMGWomp4X +qrOJNhOCiKmxQPL75Lc/ITcknfnGDcN3i09V+WQjajxB+kDQK2Ci66QQQMWBaCLR9 SsATxn0ycb0isA2XgOLYthBhO1YBEBWyTCEu3D9E= Received: (qmail 14494 invoked from network); 28 Jun 2012 14:25:16 -0000 Received: from unknown (HELO ?192.168.1.35?) (129.27.202.101) by ist.tugraz.at with SMTP; 28 Jun 2012 14:25:16 -0000 Message-ID: <4FEC694C.6060408@ist.tugraz.at> Date: Thu, 28 Jun 2012 16:25:16 +0200 From: Herbert Poeckl Organization: TU Graz / IST User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20120506 Icedove/3.0.11 MIME-Version: 1.0 To: Rick Macklem References: <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: 5S3planrQ0lSnmWIva+Lkw X-Spam-Scanner: SpamAssassin 3.003000 X-Spam-Score-relay: 0.0 X-Scanned-By: MIMEDefang 2.70 on 129.27.10.19 Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2012 14:25:27 -0000 On 06/28/2012 02:07 AM, Rick Macklem wrote: > The NFS server will authenticate nfs/tmp2.ist.intra against the Kerberos > KDC, using the information in the keytab entry. The whole idea behind a > host based principal like "nfs/tmp2.ist.intra" is that it can only be > used by the host "tmp2.ist.intra". As such, when the Kerberos KDC receives > an auathentication request for nfs/tmp2.ist.intra, it will DNS resolve > tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to the > IP address the authentication request is received from. I think this > means the KDC will fail the request if it is sent to the KDC from 192.168.6.2. Yes, of course. There is and will be no traffic on 192.168.6.2. What I've tried to say (and probably failed), is that we have a network card in the machine, where the result is always access denied (with the correct server IP address set for that NIC). > Your KDC should be logging something when this fails and the traffic you'd > need to look at is the traffic between the NFS server and the KDC. (I'd use > wireshark, since it probably knows a fair bit about Kerberos.) Thank you, I will give it a try. Kind regards, Herbert