Date: Mon, 25 Jun 2012 20:17:58 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Herbert Poeckl <freebsdml@ist.tugraz.at> Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied Message-ID: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <4FE849AE.3080902@ist.tugraz.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Herbert Poeckl wrote: > Hi everybody. > > We are new to this list and need technical help. > > We are getting access denied error on our debian clients when mounting > nfsv4 network drives with kerberos 5 authentication. > > What is wired about this, is that it works with one server, but not > with > a second server. The configuration on these both machines are > identical, > witch we have tested by booting from the same USB drive. > Ok, if I understand you correctly, you are booting the 2 machines using the same USB root disk? Are they using DHCP to configure their network? (I'm just checking, since they would need to boot as the same hostname and IP address, if they are using the same /etc/krb5.keytab file. ie. They must both think they are: tmp2.ist.intra@IST.INTRA including name<->IP# resolution (/etc/hosts, DNS, or ???) If they are the "same host", then the only other thought is to make sure that their Time of Day clocks are correctly set. One simple check you can do on the server to confirm that the keytab entry is ok is to do: # kinit -k nfs/tmp2.ist.intra@IST.INTRA and make sure it can put an entry in root's credential cache from the keytab. Beyond that, I have no idea why one would work and the other not. (I always avoid multiple encryption types for keytabs, since I've seen Heimdal get confused about which one to use, but that normally happened to me when I was trying to get initiator credentials from a keytab entry.) Hopefully someone else conversant with kerberos can help, rick > The one where it works on is a Intel based standard workstation (HP > DC7800). The machine where it does not work is a AMD Opteron based > server (Sun X4540). Any other kerberos authentication (like smb and > netatalk) works fine. > > We basically followed these instructions: > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > Our system configuration looks as follows: > -- 8< ----------------------------------------- >8 -- > root@tmp2:/root # uname -a > FreeBSD tmp2.ist.intra 9.0-STABLE FreeBSD 9.0-STABLE #4: Thu Jun 14 > 08:58:14 UTC 2012 root@srv.ist.intra:/usr/obj/system/usr/src/sys/SRV > amd64 > > > root@tmp2:/root # diff /usr/src/sys/amd64/conf/GENERIC > /usr/src/sys/amd64/conf/SRV > 348a349,354 > > > > > > options KGSSAPI > > device crypto > > > > options NETATALK > > > root@tmp2:/root # cat /etc/krb5.conf > [libdefaults] > default_realm = IST.INTRA > forwardable = true > proxiable = true > > > root@tmp2:/root # ktutil list > FILE:/etc/krb5.keytab: > > Vno Type Principal > 1 aes256-cts-hmac-sha1-96 nfs/tmp2.ist.intra@IST.INTRA > 1 des3-cbc-sha1 nfs/tmp2.ist.intra@IST.INTRA > 1 arcfour-hmac-md5 nfs/tmp2.ist.intra@IST.INTRA > > ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No > such file or directory > > > root@tmp2:/root # cat /etc/exports > > V4: /tmp -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0 > /tmp/blah -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0 > root@tmp2:/root # > > > > root@tmp2:/root # less /var/run/dmesg.boot > FreeBSD 9.0-STABLE #4: Thu Jun 14 08:58:14 UTC 2012 > root@srv.ist.intra:/usr/obj/system/usr/src/sys/SRV amd64 > CPU: Six-Core AMD Opteron(tm) Processor 2435 (2600.16-MHz K8-class > CPU) > Origin = "AuthenticAMD" Id = 0x100f80 Family = 10 Model = 8 > Stepping = 0 > > Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT> > Features2=0x802009<SSE3,MON,CX16,POPCNT> > AMD > Features=0xee500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM,3DNow!+,3DNow!> > AMD > Features2=0x37ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT> > TSC: P-state invariant > -- 8< ----------------------------------------- >8 -- > > Any help is greatly appreciated. > > Kind regards, > Herbert Poeckl > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1235437294.2233474.1340669878977.JavaMail.root>