Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jun 2012 11:34:44 -0400 (EDT)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Herbert Poeckl <freebsdml@ist.tugraz.at>
Cc:        freebsd-stable@FreeBSD.org
Subject:   Re: Need help with nfsv4 and krb5 access denied
Message-ID:  <1914283839.2362353.1340897684902.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <4FEC694C.6060408@ist.tugraz.at>

next in thread | previous in thread | raw e-mail | index | archive | help
Herbert Poeckl wrote:
> On 06/28/2012 02:07 AM, Rick Macklem wrote:
> > The NFS server will authenticate nfs/tmp2.ist.intra against the
> > Kerberos
> > KDC, using the information in the keytab entry. The whole idea
> > behind a
> > host based principal like "nfs/tmp2.ist.intra" is that it can only
> > be
> > used by the host "tmp2.ist.intra". As such, when the Kerberos KDC
> > receives
> > an auathentication request for nfs/tmp2.ist.intra, it will DNS
> > resolve
> > tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to
> > the
> > IP address the authentication request is received from. I think this
> > means the KDC will fail the request if it is sent to the KDC from
> > 192.168.6.2.
> 
> Yes, of course. There is and will be no traffic on 192.168.6.2.
> 
> What I've tried to say (and probably failed), is that we have a
> network
> card in the machine, where the result is always access denied (with
> the
> correct server IP address set for that NIC).
> 
Hmm, have you tried krb5 or krb5i. krb5p (which was the only one you
had exported) means that the NFS RPCs are DES encrypted on the wire.
This makes looking at them pretty useless in wireshark. (This comment
doesn't apply to the traffic between the NFS server and the KDC, but
wireshark will do a good job of decoding krb5, krb5i NFS traffic.)

The only other thought I had (I have no idea if this is even possible?)
is that some sort of hardware offload in the network card is screwing
things up. (I don't know the em hardware, but you might try disabling
TSO etc, in case the packets are somehow getting corrupted?)

Good luck with it. It would be nice to know why this is happening.
Since the NIC is way below the NFS layer, I can't think of any reason
why NFS would care which NIC is used.

rick

> 
> > Your KDC should be logging something when this fails and the traffic
> > you'd
> > need to look at is the traffic between the NFS server and the KDC.
> > (I'd use
> > wireshark, since it probably knows a fair bit about Kerberos.)
> 
> Thank you, I will give it a try.
> 
> Kind regards,
> Herbert
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1914283839.2362353.1340897684902.JavaMail.root>