Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Jun 2012 20:07:47 -0400 (EDT)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Herbert Poeckl <freebsdml@ist.tugraz.at>
Cc:        freebsd-stable@FreeBSD.org
Subject:   Re: Need help with nfsv4 and krb5 access denied
Message-ID:  <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <4FEB6DB8.2000204@ist.tugraz.at>
next in thread | previous in thread | raw e-mail | index | archive | help 
Herbert Poeckl wrote:
> Hallo everyone,
> 
> 
> we did more testing on this topic.
> 
> After we found a few hosts, basically HP desktop workstation with
> Intel
> onboard NICs, that worked and more hosts that didn't work, we placed a
> second PCI based NIC into one of the hosts that worked.
> 
> 
> The surprising result is:
> With the onboard NIC nfs kerberos mount works fine. When the second
> NIC
> takes over, we get a access denied!
> 
> 
> Here is the keylog of what we did.
> 
> A few explanations: em0 is the embedded onboard card, em1 is the PCI
> card we plugged into the machine[1].
> 
> 192.168.1.164 is the IP address the server is configured for (which is
> tmp2.ist.intra in our DNS resolution). 192.168.6.2 is just a
> placeholder
> address. Both NICs are connected to the same switch (there is no
> firewall or VPN configured).
> 
Ok, from my limited knowledge of Kerberos, here is how I understand that
a host based keytab entry is used.

The NFS server will authenticate nfs/tmp2.ist.intra against the Kerberos
KDC, using the information in the keytab entry. The whole idea behind a
host based principal like "nfs/tmp2.ist.intra" is that it can only be
used by the host "tmp2.ist.intra". As such, when the Kerberos KDC receives
an auathentication request for nfs/tmp2.ist.intra, it will DNS resolve
tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to the
IP address the authentication request is received from. I think this
means the KDC will fail the request if it is sent to the KDC from 192.168.6.2.

Your KDC should be logging something when this fails and the traffic you'd
need to look at is the traffic between the NFS server and the KDC. (I'd use
wireshark, since it probably knows a fair bit about Kerberos.)

My guess is that this is what is causing your failure, rick

> The system boots up with em0 as 192.168.1.164 and em1 as
> 192.168.6.2.[2]
> This is the configuration that works, see also the attached tcpdump on
> that interface[5].
> 
> Now we change the IP addresses of em0 to the placeholder address and
> em1
> to the servers address and proof that the name resolution is still
> available[3]. This is were we get a access denied on the linux nfs
> client, see tcpdump[6].
> 
> When we switch the IP addresses back[4], everything starts working
> again.
> 
> 
> Please note: It doesn't make any difference if we configure em1 as the
> server IP address and em0 as placeholder at startup time, the result
> is
> the same.
> 
> 
> We do hope that the dump is of any use. If not, or if there are better
> ways to debug the problem, your help would be welcome.
> 
> King regards,
> Herbert Poeckl
> 
> 
> [1]
> --- 8< -------------------------------- >8 ---
> root@tmp2:/root # dmesg | grep em0
> em0: <Intel(R) PRO/1000 Network Connection 7.3.2> port 0x3100-0x311f
> mem
> 0xf3100000-0xf311ffff,0xf3125000-0xf3125fff irq 19 at device 25.0 on
> pci0
> em0: Using an MSI interrupt
> em0: Ethernet address: 00:0f:fe:e7:1c:ae
> em0: link state changed to UP
> 
> 
> root@tmp2:/root # dmesg | grep em1
> em1: <Intel(R) PRO/1000 Legacy Network Connection 1.0.4> port
> 0x1100-0x113f mem 0xf3040000-0xf305ffff,0xf3000000-0xf303ffff irq 20
> at
> device 4.0 on pci7
> em1: Ethernet address: 00:1b:21:00:8b:2b
> em1: link state changed to UP
> --- 8< -------------------------------- >8 ---
> 
> 
> [2]
> --- 8< -------------------------------- >8 ---
> root@tmp2:/root # grep em0 /etc/rc.conf
> ifconfig_em0="inet 192.168.1.164 netmask 255.255.255.0"
> 
> root@tmp2:/root # grep em1 /etc/rc.conf
> ifconfig_em1="inet 192.168.6.2 netmask 255.255.255.0"
> 
> root@tmp2:/root # grep defaultrouter /etc/rc.conf
> defaultrouter="192.168.1.1"
> 
> root@tmp2:/root # host tmp2
> tmp2.ist.intra has address 192.168.1.164
> --- 8< -------------------------------- >8 ---
> 
> 
> [3]
> --- 8< -------------------------------- >8 ---
> root@tmp2:/root # ifconfig em0 192.168.6.2 netmask 255.255.255.0 ;
> ifconfig em1 192.168.1.164 netmask 255.255.255.0 ; /etc/rc.d/routing
> restart
> route: writing to routing socket: No such process
> delete net default: gateway 192.168.1.1: not in table
> delete net ::ffff:0.0.0.0: gateway ::1
> delete net ::0.0.0.0: gateway ::1
> delete net fe80::: gateway ::1
> delete net ff02::: gateway ::1
> add net default: gateway 192.168.1.1
> add net ::ffff:0.0.0.0: gateway ::1
> add net ::0.0.0.0: gateway ::1
> add net fe80::: gateway ::1
> add net ff02::: gateway ::1
> root@tmp2:/root #
> 
> root@tmp2:/root # host tmp2
> tmp2.ist.intra has address 192.168.1.164
> --- 8< -------------------------------- >8 ---
> 
> [4]
> --- 8< -------------------------------- >8 ---
> root@tmp2:/root # ifconfig em0 192.168.1.164 netmask 255.255.255.0 ;
> ifconfig em1 192.168.6.2 netmask 255.255.255.0 ; /etc/rc.d/routing
> restart
> route: writing to routing socket: No such process
> delete net default: gateway 192.168.1.1: not in table
> delete net ::ffff:0.0.0.0: gateway ::1
> delete net ::0.0.0.0: gateway ::1
> delete net fe80::: gateway ::1
> delete net ff02::: gateway ::1
> add net default: gateway 192.168.1.1
> add net ::ffff:0.0.0.0: gateway ::1
> add net ::0.0.0.0: gateway ::1
> add net fe80::: gateway ::1
> add net ff02::: gateway ::1
> root@tmp2:/root #
> --- 8< -------------------------------- >8 ---
> 
> [5] tcpdump(1) working:
> --- 8< -------------------------------- >8 ---
> 15:47:21.151932 ARP, Request who-has 192.168.1.164 tell 192.168.1.40,
> length 46
> 15:47:21.151937 ARP, Reply 192.168.1.164 is-at 00:0f:fe:e7:1c:ae,
> length 28
> 15:47:21.152065 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [S],
> seq
> 2632408361, win 14600, options [mss 1460,sackOK,TS val 22818996 ecr
> 0,nop,wscale 6], length 0
> 15:47:21.152077 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [S.],
> seq 1896997472, ack 2632408362, win 65535, options [mss
> 1460,nop,wscale
> 6,sackOK,TS val 320086661 ecr 22818996], length 0
> 15:47:21.152196 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.],
> ack
> 1, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0
> 15:47:21.152213 IP 192.168.1.40.2561817139 > 192.168.1.164.2049: 40
> null
> 15:47:21.152237 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [.],
> ack
> 45, win 29127, options [nop,nop,TS val 320086661 ecr 22818996], length
> 0
> 15:47:21.152250 IP 192.168.1.164.2049 > 192.168.1.40.2561817139: reply
> ok 24 null
> 15:47:21.152329 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.],
> ack
> 29, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0
> 15:47:21.195274 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [S],
> seq 2939335575, win 14600, options [mss 1460,sackOK,TS val 22819007
> ecr
> 0,nop,wscale 6], length 0
> 15:47:21.195284 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags
> [S.],
> seq 3331281133, ack 2939335576, win 65535, options [mss
> 1460,nop,wscale
> 6,sackOK,TS val 2607816079 ecr 22819007], length 0
> 15:47:21.195409 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
> ack 1, win 229, options [nop,nop,TS val 22819007 ecr 2607816079],
> length 0
> 15:47:21.237686 IP 192.168.1.40.3743254751 > 192.168.1.164.2049: 696
> null
> 15:47:21.237700 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.],
> ack 701, win 29127, options [nop,nop,TS val 2607816121 ecr 22819018],
> length 0
> 15:47:21.238121 IP 192.168.1.164.2049 > 192.168.1.40.3743254751: reply
> ok 248 null
> 15:47:21.238370 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
> ack 253, win 245, options [nop,nop,TS val 22819018 ecr 2607816121],
> length 0
> 15:47:21.278494 IP 192.168.1.40.3726477535 > 192.168.1.164.2049: 68
> null
> 15:47:21.278499 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags
> [F.],
> seq 773, ack 253, win 245, options [nop,nop,TS val 22819028 ecr
> 2607816121], length 0
> 15:47:21.278506 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.],
> ack 774, win 29125, options [nop,nop,TS val 2607816162 ecr 22819028],
> length 0
> 15:47:21.278508 IP 192.168.1.40.2578594355 > 192.168.1.164.2049: 208
> getattr fh 0,100/0
> 15:47:21.278520 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags
> [F.],
> seq 253, ack 774, win 29127, options [nop,nop,TS val 2607816162 ecr
> 22819028], length 0
> 15:47:21.278630 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
> ack 254, win 245, options [nop,nop,TS val 22819028 ecr 2607816162],
> length 0
> 15:47:21.281980 IP 192.168.1.164.2049 > 192.168.1.40.2578594355: reply
> ok 348 getattr ERROR: unk 292
> 15:47:21.282248 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.],
> ack
> 381, win 245, options [nop,nop,TS val 22819029 ecr 320086790], length
> 0
> 15:47:21.282389 IP 192.168.1.40.2595371571 > 192.168.1.164.2049: 232
> getattr fh 0,124/0
> 15:47:21.282431 IP 192.168.1.164.2049 > 192.168.1.40.2595371571: reply
> ok 180 getattr ERROR: unk 124
> 15:47:21.282749 IP 192.168.1.40.2612148787 > 192.168.1.164.2049: 236
> getattr fh 0,128/0
> 15:47:21.282807 IP 192.168.1.164.2049 > 192.168.1.40.2612148787: reply
> ok 204 getattr ERROR: unk 148
> --- 8< -------------------------------- >8 ---
> 
> [6] tcpdump(1) with access denied:
> --- 8< -------------------------------- >8 ---
> 15:57:01.626475 ARP, Request who-has 192.168.1.164 tell 192.168.1.40,
> length 46
> 15:57:01.626480 ARP, Reply 192.168.1.164 is-at 00:1b:21:00:8b:2b,
> length 28
> 15:57:01.626595 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [S],
> seq
> 344782976, win 14600, options [mss 1460,sackOK,TS val 22964116 ecr
> 0,nop,wscale 6], length 0
> 15:57:01.626606 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [S.],
> seq 4111877472, ack 344782977, win 65535, options [mss 1460,nop,wscale
> 6,sackOK,TS val 2914443055 ecr 22964116], length 0
> 15:57:01.626725 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.],
> ack
> 1, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length 0
> 15:57:01.626741 IP 192.168.1.40.2525406720 > 192.168.1.164.2049: 40
> null
> 15:57:01.626761 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [.],
> ack
> 45, win 29127, options [nop,nop,TS val 2914443055 ecr 22964116],
> length 0
> 15:57:01.626772 IP 192.168.1.164.2049 > 192.168.1.40.2525406720: reply
> ok 24 null
> 15:57:01.626974 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.],
> ack
> 29, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length
> 0
> 15:57:01.643462 IP 192.168.6.181.17500 > 192.168.6.255.17500: UDP,
> length 132
> 15:57:01.684686 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [S],
> seq 2437332411, win 14600, options [mss 1460,sackOK,TS val 22964130
> ecr
> 0,nop,wscale 6], length 0
> 15:57:01.684695 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags
> [S.],
> seq 3809706473, ack 2437332412, win 65535, options [mss
> 1460,nop,wscale
> 6,sackOK,TS val 898091316 ecr 22964130], length 0
> 15:57:01.684818 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.],
> ack 1, win 229, options [nop,nop,TS val 22964130 ecr 898091316],
> length 0
> 15:57:01.765886 IP 192.168.1.40.3742773980 > 192.168.1.164.2049: 696
> null
> 15:57:01.765899 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.],
> ack 701, win 29127, options [nop,nop,TS val 898091398 ecr 22964150],
> length 0
> 15:57:01.766296 IP 192.168.1.164.2049 > 192.168.1.40.3742773980: reply
> ok 248 null
> 15:57:01.766513 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.],
> ack 253, win 245, options [nop,nop,TS val 22964151 ecr 898091398],
> length 0
> 15:57:01.828347 IP 192.168.1.40.3725996764 > 192.168.1.164.2049: 68
> null
> 15:57:01.828352 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags
> [F.],
> seq 773, ack 253, win 245, options [nop,nop,TS val 22964166 ecr
> 898091398], length 0
> 15:57:01.828359 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.],
> ack 774, win 29125, options [nop,nop,TS val 898091460 ecr 22964166],
> length 0
> 15:57:01.828371 IP 192.168.1.164.2049 > 192.168.1.40.3725996764: reply
> ERR 20: Auth Invalid failure code 13
> 15:57:01.828374 IP 192.168.1.40.2542183936 > 192.168.1.164.2049: 208
> getattr fh 0,100/0
> 15:57:01.828378 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags
> [F.],
> seq 277, ack 774, win 29127, options [nop,nop,TS val 898091460 ecr
> 22964166], length 0
> 15:57:01.828403 IP 192.168.1.164.2049 > 192.168.1.40.2542183936: reply
> ERR 20: Auth Invalid failure code 13
> 15:57:01.828478 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R],
> seq 2437333185, win 0, length 0
> 15:57:01.828482 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R],
> seq 2437333185, win 0, length 0
> --- 8< -------------------------------- >8 ---
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?686121506.2338267.1340842067785.JavaMail.root>