From owner-freebsd-stable@FreeBSD.ORG Wed Jun 27 20:31:56 2012 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F03D106576B for ; Wed, 27 Jun 2012 20:31:56 +0000 (UTC) (envelope-from freebsdml@ist.tugraz.at) Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by mx1.freebsd.org (Postfix) with ESMTP id EB6CD8FC14 for ; Wed, 27 Jun 2012 20:31:55 +0000 (UTC) Received: from hpoeckl-osx.ist.vpn (vpn.ist.tu-graz.ac.at [129.27.202.112]) (authenticated bits=0) by mailrelay2.tugraz.at (8.14.4/8.14.4) with ESMTP id q5RKVp7V007531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Jun 2012 22:31:51 +0200 (CEST) X-DKIM: Sendmail DKIM Filter v2.8.3 mailrelay2.tugraz.at q5RKVp7V007531 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1340829113; i=@ist.tugraz.at; bh=JwufofiNgr4fDCMvgk2jrYRvLwQCictQQNdCgs20lr0=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=d2MN4XiCdaU+8F9Mr2xhVPnHjEJ8KnsloXAfL3Q9Ik/MnPNbTQw8XFYtsYed/g3xK yDoNFHlsNXX2RtVEILBaTRqLSe21KVq7GHMXiapIXej7gUiil+aCX3d3EUoN3vdkNa UerJe2kSPF4GtfWBJCsFU7eSjTkRQJW2radDT4QM= Message-ID: <4FEB6DB8.2000204@ist.tugraz.at> Date: Wed, 27 Jun 2012 22:31:52 +0200 From: Herbert Poeckl Organization: TU Graz / IST User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Rick Macklem References: <1235437294.2233474.1340669878977.JavaMail.root@erie.cs.uoguelph.ca> <4FEAD3AA.5050101@ist.tugraz.at> In-Reply-To: <4FEAD3AA.5050101@ist.tugraz.at> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: 5S3planrQ0lSnmWIva+Lkw X-Spam-Scanner: SpamAssassin 3.003000 X-Spam-Score-relay: 0.0 X-Scanned-By: MIMEDefang 2.70 on 129.27.10.19 Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2012 20:31:56 -0000 Hallo everyone, we did more testing on this topic. After we found a few hosts, basically HP desktop workstation with Intel onboard NICs, that worked and more hosts that didn't work, we placed a second PCI based NIC into one of the hosts that worked. The surprising result is: With the onboard NIC nfs kerberos mount works fine. When the second NIC takes over, we get a access denied! Here is the keylog of what we did. A few explanations: em0 is the embedded onboard card, em1 is the PCI card we plugged into the machine[1]. 192.168.1.164 is the IP address the server is configured for (which is tmp2.ist.intra in our DNS resolution). 192.168.6.2 is just a placeholder address. Both NICs are connected to the same switch (there is no firewall or VPN configured). The system boots up with em0 as 192.168.1.164 and em1 as 192.168.6.2.[2] This is the configuration that works, see also the attached tcpdump on that interface[5]. Now we change the IP addresses of em0 to the placeholder address and em1 to the servers address and proof that the name resolution is still available[3]. This is were we get a access denied on the linux nfs client, see tcpdump[6]. When we switch the IP addresses back[4], everything starts working again. Please note: It doesn't make any difference if we configure em1 as the server IP address and em0 as placeholder at startup time, the result is the same. We do hope that the dump is of any use. If not, or if there are better ways to debug the problem, your help would be welcome. King regards, Herbert Poeckl [1] --- 8< -------------------------------- >8 --- root@tmp2:/root # dmesg | grep em0 em0: port 0x3100-0x311f mem 0xf3100000-0xf311ffff,0xf3125000-0xf3125fff irq 19 at device 25.0 on pci0 em0: Using an MSI interrupt em0: Ethernet address: 00:0f:fe:e7:1c:ae em0: link state changed to UP root@tmp2:/root # dmesg | grep em1 em1: port 0x1100-0x113f mem 0xf3040000-0xf305ffff,0xf3000000-0xf303ffff irq 20 at device 4.0 on pci7 em1: Ethernet address: 00:1b:21:00:8b:2b em1: link state changed to UP --- 8< -------------------------------- >8 --- [2] --- 8< -------------------------------- >8 --- root@tmp2:/root # grep em0 /etc/rc.conf ifconfig_em0="inet 192.168.1.164 netmask 255.255.255.0" root@tmp2:/root # grep em1 /etc/rc.conf ifconfig_em1="inet 192.168.6.2 netmask 255.255.255.0" root@tmp2:/root # grep defaultrouter /etc/rc.conf defaultrouter="192.168.1.1" root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8< -------------------------------- >8 --- [3] --- 8< -------------------------------- >8 --- root@tmp2:/root # ifconfig em0 192.168.6.2 netmask 255.255.255.0 ; ifconfig em1 192.168.1.164 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net ::ffff:0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net ::ffff:0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 root@tmp2:/root # root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8< -------------------------------- >8 --- [4] --- 8< -------------------------------- >8 --- root@tmp2:/root # ifconfig em0 192.168.1.164 netmask 255.255.255.0 ; ifconfig em1 192.168.6.2 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net ::ffff:0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net ::ffff:0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 root@tmp2:/root # --- 8< -------------------------------- >8 --- [5] tcpdump(1) working: --- 8< -------------------------------- >8 --- 15:47:21.151932 ARP, Request who-has 192.168.1.164 tell 192.168.1.40, length 46 15:47:21.151937 ARP, Reply 192.168.1.164 is-at 00:0f:fe:e7:1c:ae, length 28 15:47:21.152065 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [S], seq 2632408361, win 14600, options [mss 1460,sackOK,TS val 22818996 ecr 0,nop,wscale 6], length 0 15:47:21.152077 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [S.], seq 1896997472, ack 2632408362, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 320086661 ecr 22818996], length 0 15:47:21.152196 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack 1, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0 15:47:21.152213 IP 192.168.1.40.2561817139 > 192.168.1.164.2049: 40 null 15:47:21.152237 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [.], ack 45, win 29127, options [nop,nop,TS val 320086661 ecr 22818996], length 0 15:47:21.152250 IP 192.168.1.164.2049 > 192.168.1.40.2561817139: reply ok 24 null 15:47:21.152329 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack 29, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0 15:47:21.195274 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [S], seq 2939335575, win 14600, options [mss 1460,sackOK,TS val 22819007 ecr 0,nop,wscale 6], length 0 15:47:21.195284 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [S.], seq 3331281133, ack 2939335576, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2607816079 ecr 22819007], length 0 15:47:21.195409 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.], ack 1, win 229, options [nop,nop,TS val 22819007 ecr 2607816079], length 0 15:47:21.237686 IP 192.168.1.40.3743254751 > 192.168.1.164.2049: 696 null 15:47:21.237700 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.], ack 701, win 29127, options [nop,nop,TS val 2607816121 ecr 22819018], length 0 15:47:21.238121 IP 192.168.1.164.2049 > 192.168.1.40.3743254751: reply ok 248 null 15:47:21.238370 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.], ack 253, win 245, options [nop,nop,TS val 22819018 ecr 2607816121], length 0 15:47:21.278494 IP 192.168.1.40.3726477535 > 192.168.1.164.2049: 68 null 15:47:21.278499 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [F.], seq 773, ack 253, win 245, options [nop,nop,TS val 22819028 ecr 2607816121], length 0 15:47:21.278506 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.], ack 774, win 29125, options [nop,nop,TS val 2607816162 ecr 22819028], length 0 15:47:21.278508 IP 192.168.1.40.2578594355 > 192.168.1.164.2049: 208 getattr fh 0,100/0 15:47:21.278520 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [F.], seq 253, ack 774, win 29127, options [nop,nop,TS val 2607816162 ecr 22819028], length 0 15:47:21.278630 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.], ack 254, win 245, options [nop,nop,TS val 22819028 ecr 2607816162], length 0 15:47:21.281980 IP 192.168.1.164.2049 > 192.168.1.40.2578594355: reply ok 348 getattr ERROR: unk 292 15:47:21.282248 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack 381, win 245, options [nop,nop,TS val 22819029 ecr 320086790], length 0 15:47:21.282389 IP 192.168.1.40.2595371571 > 192.168.1.164.2049: 232 getattr fh 0,124/0 15:47:21.282431 IP 192.168.1.164.2049 > 192.168.1.40.2595371571: reply ok 180 getattr ERROR: unk 124 15:47:21.282749 IP 192.168.1.40.2612148787 > 192.168.1.164.2049: 236 getattr fh 0,128/0 15:47:21.282807 IP 192.168.1.164.2049 > 192.168.1.40.2612148787: reply ok 204 getattr ERROR: unk 148 --- 8< -------------------------------- >8 --- [6] tcpdump(1) with access denied: --- 8< -------------------------------- >8 --- 15:57:01.626475 ARP, Request who-has 192.168.1.164 tell 192.168.1.40, length 46 15:57:01.626480 ARP, Reply 192.168.1.164 is-at 00:1b:21:00:8b:2b, length 28 15:57:01.626595 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [S], seq 344782976, win 14600, options [mss 1460,sackOK,TS val 22964116 ecr 0,nop,wscale 6], length 0 15:57:01.626606 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [S.], seq 4111877472, ack 344782977, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2914443055 ecr 22964116], length 0 15:57:01.626725 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.], ack 1, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length 0 15:57:01.626741 IP 192.168.1.40.2525406720 > 192.168.1.164.2049: 40 null 15:57:01.626761 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [.], ack 45, win 29127, options [nop,nop,TS val 2914443055 ecr 22964116], length 0 15:57:01.626772 IP 192.168.1.164.2049 > 192.168.1.40.2525406720: reply ok 24 null 15:57:01.626974 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.], ack 29, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length 0 15:57:01.643462 IP 192.168.6.181.17500 > 192.168.6.255.17500: UDP, length 132 15:57:01.684686 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [S], seq 2437332411, win 14600, options [mss 1460,sackOK,TS val 22964130 ecr 0,nop,wscale 6], length 0 15:57:01.684695 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [S.], seq 3809706473, ack 2437332412, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 898091316 ecr 22964130], length 0 15:57:01.684818 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.], ack 1, win 229, options [nop,nop,TS val 22964130 ecr 898091316], length 0 15:57:01.765886 IP 192.168.1.40.3742773980 > 192.168.1.164.2049: 696 null 15:57:01.765899 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.], ack 701, win 29127, options [nop,nop,TS val 898091398 ecr 22964150], length 0 15:57:01.766296 IP 192.168.1.164.2049 > 192.168.1.40.3742773980: reply ok 248 null 15:57:01.766513 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.], ack 253, win 245, options [nop,nop,TS val 22964151 ecr 898091398], length 0 15:57:01.828347 IP 192.168.1.40.3725996764 > 192.168.1.164.2049: 68 null 15:57:01.828352 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [F.], seq 773, ack 253, win 245, options [nop,nop,TS val 22964166 ecr 898091398], length 0 15:57:01.828359 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.], ack 774, win 29125, options [nop,nop,TS val 898091460 ecr 22964166], length 0 15:57:01.828371 IP 192.168.1.164.2049 > 192.168.1.40.3725996764: reply ERR 20: Auth Invalid failure code 13 15:57:01.828374 IP 192.168.1.40.2542183936 > 192.168.1.164.2049: 208 getattr fh 0,100/0 15:57:01.828378 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [F.], seq 277, ack 774, win 29127, options [nop,nop,TS val 898091460 ecr 22964166], length 0 15:57:01.828403 IP 192.168.1.164.2049 > 192.168.1.40.2542183936: reply ERR 20: Auth Invalid failure code 13 15:57:01.828478 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R], seq 2437333185, win 0, length 0 15:57:01.828482 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R], seq 2437333185, win 0, length 0 --- 8< -------------------------------- >8 ---