From owner-freebsd-stable@FreeBSD.ORG Wed Jun 27 09:34:44 2012 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B550F106566B for ; Wed, 27 Jun 2012 09:34:44 +0000 (UTC) (envelope-from freebsdml@ist.tugraz.at) Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by mx1.freebsd.org (Postfix) with ESMTP id 459E08FC16 for ; Wed, 27 Jun 2012 09:34:43 +0000 (UTC) Received: from ist.tugraz.at (mail.ist.tu-graz.ac.at [129.27.202.111]) (authenticated bits=0) by mailrelay2.tugraz.at (8.14.4/8.14.4) with ESMTP id q5R9YZHW000643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 27 Jun 2012 11:34:35 +0200 (CEST) X-DKIM: Sendmail DKIM Filter v2.8.3 mailrelay2.tugraz.at q5R9YZHW000643 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1340789677; i=@ist.tugraz.at; bh=s5GSRyLqc6gp+TLYiUqd1Lbx87hecnde4Aaco6WLX5w=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=GNca+XZXatMTnV4ov42KMUljeFHCpNcnW/fGUCyTOcic6BqlmnetD65EfGVjwA9f7 ab6CCMbgG4pemsClY8RE4mmanFbt4V+17pXnqF867u7egQhKEVqKAENOr6qsztsg+5 urKlBsJxZQfy9SXtiAl5hArtET1MGMoKODU6S8kg= Received: (qmail 98361 invoked from network); 27 Jun 2012 09:34:34 -0000 Received: from unknown (HELO ?192.168.1.35?) (129.27.202.101) by ist.tugraz.at with SMTP; 27 Jun 2012 09:34:34 -0000 Message-ID: <4FEAD3AA.5050101@ist.tugraz.at> Date: Wed, 27 Jun 2012 11:34:34 +0200 From: Herbert Poeckl Organization: TU Graz / IST User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20120506 Icedove/3.0.11 MIME-Version: 1.0 To: Rick Macklem References: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: 5S3planrQ0lSnmWIva+Lkw X-Spam-Scanner: SpamAssassin 3.003000 X-Spam-Score-relay: 0.0 X-Scanned-By: MIMEDefang 2.70 on 129.27.10.19 Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2012 09:34:44 -0000 Hi Rick, thank you very much for answering. On 06/26/2012 02:17 AM, Rick Macklem wrote: > Herbert Poeckl wrote: >> Hi everybody. >> >> We are new to this list and need technical help. >> >> We are getting access denied error on our debian clients when mounting >> nfsv4 network drives with kerberos 5 authentication. >> >> What is wired about this, is that it works with one server, but not >> with >> a second server. The configuration on these both machines are >> identical, >> witch we have tested by booting from the same USB drive. >> > Ok, if I understand you correctly, you are booting the 2 machines > using the same USB root disk? This is correct. As you can guess, it is for testing purpose only. > Are they using DHCP to configure their network? > (I'm just checking, since they would need to boot as the same > hostname and IP address, if they are using the same /etc/krb5.keytab > file. ie. They must both think they are: > tmp2.ist.intra@IST.INTRA > including name<->IP# resolution (/etc/hosts, DNS, or ???) > > If they are the "same host", then the only other thought is to make > sure that their Time of Day clocks are correctly set. The hosts IP address is set statically. Name resolution is done with DNS, see keylog below[1]. Time is synchronized on system startup against a local time server. > One simple check you can do on the server to confirm that the > keytab entry is ok is to do: > # kinit -k nfs/tmp2.ist.intra@IST.INTRA > and make sure it can put an entry in root's credential cache > from the keytab. We performed a check. The output seem right, as you can see in [2]. Is there anything else we can check? > Beyond that, I have no idea why one would work and the other not. > (I always avoid multiple encryption types for keytabs, since I've > seen Heimdal get confused about which one to use, but that normally > happened to me when I was trying to get initiator credentials from > a keytab entry.) Reducing the encryptin type to only one (des3-cbc-sha1) did not change the result. > Hopefully someone else conversant with kerberos can help, rick [1] --- 8< -------------------------------- >8 --- root@tmp2:/root # hostname tmp2.ist.intra root@tmp2:/root # ifconfig INT INT: flags=8843 metric 0 mtu 1500 options=c219b ether 00:21:28:45:c3:be inet 192.168.1.164 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::221:28ff:fe45:c3be%INT prefixlen 64 scopeid 0x3 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active root@tmp2:/root # host tmp2.ist.intra tmp2.ist.intra has address 192.168.1.164 root@tmp2:/root # host 192.168.1.164 164.1.168.192.in-addr.arpa domain name pointer tmp2.ist.intra. --- 8< -------------------------------- >8 --- [2] --- 8< -------------------------------- >8 --- root@tmp2:/root # kinit -k nfs/tmp2.ist.intra root@tmp2:/root # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: nfs/tmp2.ist.intra@IST.INTRA Issued Expires Principal Jun 26 08:34:10 Jun 26 18:34:04 krbtgt/IST.INTRA@IST.INTRA root@tmp2:/root # --- 8< -------------------------------- >8 ---