Date: Wed, 27 Jun 2012 11:34:34 +0200 From: Herbert Poeckl <freebsdml@ist.tugraz.at> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied Message-ID: <4FEAD3AA.5050101@ist.tugraz.at> In-Reply-To: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca> References: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Rick,
thank you very much for answering.
On 06/26/2012 02:17 AM, Rick Macklem wrote:
> Herbert Poeckl wrote:
>> Hi everybody.
>>
>> We are new to this list and need technical help.
>>
>> We are getting access denied error on our debian clients when mounting
>> nfsv4 network drives with kerberos 5 authentication.
>>
>> What is wired about this, is that it works with one server, but not
>> with
>> a second server. The configuration on these both machines are
>> identical,
>> witch we have tested by booting from the same USB drive.
>>
> Ok, if I understand you correctly, you are booting the 2 machines
> using the same USB root disk?
This is correct. As you can guess, it is for testing purpose only.
> Are they using DHCP to configure their network?
> (I'm just checking, since they would need to boot as the same
> hostname and IP address, if they are using the same /etc/krb5.keytab
> file. ie. They must both think they are:
> tmp2.ist.intra@IST.INTRA
> including name<->IP# resolution (/etc/hosts, DNS, or ???)
>
> If they are the "same host", then the only other thought is to make
> sure that their Time of Day clocks are correctly set.
The hosts IP address is set statically. Name resolution is done with
DNS, see keylog below[1]. Time is synchronized on system startup against
a local time server.
> One simple check you can do on the server to confirm that the
> keytab entry is ok is to do:
> # kinit -k nfs/tmp2.ist.intra@IST.INTRA
> and make sure it can put an entry in root's credential cache
> from the keytab.
We performed a check. The output seem right, as you can see in [2].
Is there anything else we can check?
> Beyond that, I have no idea why one would work and the other not.
> (I always avoid multiple encryption types for keytabs, since I've
> seen Heimdal get confused about which one to use, but that normally
> happened to me when I was trying to get initiator credentials from
> a keytab entry.)
Reducing the encryptin type to only one (des3-cbc-sha1) did not change
the result.
> Hopefully someone else conversant with kerberos can help, rick
[1]
--- 8< -------------------------------- >8 ---
root@tmp2:/root # hostname
tmp2.ist.intra
root@tmp2:/root # ifconfig INT
INT: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
ether 00:21:28:45:c3:be
inet 192.168.1.164 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::221:28ff:fe45:c3be%INT prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
root@tmp2:/root # host tmp2.ist.intra
tmp2.ist.intra has address 192.168.1.164
root@tmp2:/root # host 192.168.1.164
164.1.168.192.in-addr.arpa domain name pointer tmp2.ist.intra.
--- 8< -------------------------------- >8 ---
[2]
--- 8< -------------------------------- >8 ---
root@tmp2:/root # kinit -k nfs/tmp2.ist.intra
root@tmp2:/root # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: nfs/tmp2.ist.intra@IST.INTRA
Issued Expires Principal
Jun 26 08:34:10 Jun 26 18:34:04 krbtgt/IST.INTRA@IST.INTRA
root@tmp2:/root #
--- 8< -------------------------------- >8 ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FEAD3AA.5050101>