From owner-freebsd-stable@FreeBSD.ORG Tue Sep 4 13:09:32 2012 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F628106566B for ; Tue, 4 Sep 2012 13:09:32 +0000 (UTC) (envelope-from freebsdml@ist.tugraz.at) Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by mx1.freebsd.org (Postfix) with ESMTP id 930508FC08 for ; Tue, 4 Sep 2012 13:09:30 +0000 (UTC) Received: from ist.tugraz.at (proxy-music.ist.tu-graz.ac.at [129.27.202.111]) (authenticated bits=0) by mailrelay1.tugraz.at (8.14.4/8.14.4) with ESMTP id q84D9RJB026660 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 4 Sep 2012 15:09:27 +0200 (CEST) X-DKIM: Sendmail DKIM Filter v2.8.3 mailrelay1.tugraz.at q84D9RJB026660 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1346764168; i=@ist.tugraz.at; bh=jm3nPaqtFIYwqByk49AJxUgi5koM2K8YpbgAv856Cn4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=rTngQSY4L3KCAfRvAr6Z6aWUucPoJ4yVvkbMhVBoGsTTKmscNL1Gao1dCcHflUx9G FwnbW2ftXnVb9+S2INWUlk9JD6GOVuQI+LwnxUp25vCeKTCNLat9l97FDSYYqwihLt fEUWYmUH4mOrNjg7y54b3VQIxyLPpAoSD25T3cT4= Received: (qmail 75043 invoked from network); 4 Sep 2012 13:09:26 -0000 Received: from unknown (HELO ?192.168.1.35?) (129.27.202.101) by ist.tugraz.at with SMTP; 4 Sep 2012 13:09:26 -0000 Message-ID: <5045FD86.7060209@ist.tugraz.at> Date: Tue, 04 Sep 2012 15:09:26 +0200 From: Herbert Poeckl Organization: TU Graz / IST User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20120724 Icedove/3.0.11 MIME-Version: 1.0 To: Rick Macklem References: <233953231.1437527.1346700338839.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <233953231.1437527.1346700338839.JavaMail.root@erie.cs.uoguelph.ca> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: 5S3planrQ0lSnmWIva+Lkw X-Spam-Scanner: SpamAssassin 3.003000 X-Spam-Score-relay: 0.0 X-Scanned-By: MIMEDefang 2.70 on 129.27.10.18 Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 13:09:32 -0000 On 09/03/2012 09:25 PM, Rick Macklem wrote: > Herbert Poeckl wrote: >> On 6/25/12 1:21 PM, Herbert Poeckl wrote: >>> We are getting access denied error on our debian clients when >>> mounting >>> nfsv4 network drives with kerberos 5 authentication. >>> >>> What is wired about this, is that it works with one server, but not >>> with >>> a second server. >> [..] >> >> For the records: >> >> The problem was fixed in this post: >> http://lists.freebsd.org/pipermail/freebsd-fs/2012-August/015047.html >> > Ok, so are you saying that the patch in Attila's email fixed your problem? Yes it does. Sorry I missed your following post to his message. > If so, please try the attached patch. (It doesn't set the client security > handle stale when DESTROY fails, due to an invalid encrypted checksum. It > is similar to his patch, but only for the DESTROY case, which seems to be > ok to do from my understanding of the RPCSEC_GSS. It doesn't include the > timer changes, which shouldn't affect the outcome from afaik.) Just tried your patch, and it fixes the problem too. > To consider the client security handle still valid when a data (real RPC > in the message) phase entry fails the encrypted checksum seems riskier to > do, so I'd like to avoid that in any patch for head. > > rick Kind regards, Herbert