Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jun 2012 14:01:21 -0600
From:      Ian Lepore <freebsd@damnhippie.dyndns.org>
To:        Herbert Poeckl <freebsdml@ist.tugraz.at>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Need help with nfsv4 and krb5 access denied
Message-ID:  <1340913681.1110.84.camel@revolution.hippie.lan>
In-Reply-To: <4FEC694C.6060408@ist.tugraz.at>
References:  <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca> <4FEC694C.6060408@ist.tugraz.at>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2012-06-28 at 16:25 +0200, Herbert Poeckl wrote:
> On 06/28/2012 02:07 AM, Rick Macklem wrote:
> > The NFS server will authenticate nfs/tmp2.ist.intra against the Kerberos
> > KDC, using the information in the keytab entry. The whole idea behind a
> > host based principal like "nfs/tmp2.ist.intra" is that it can only be
> > used by the host "tmp2.ist.intra". As such, when the Kerberos KDC receives
> > an auathentication request for nfs/tmp2.ist.intra, it will DNS resolve
> > tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to the
> > IP address the authentication request is received from. I think this
> > means the KDC will fail the request if it is sent to the KDC from 192.168.6.2.
> 
> Yes, of course. There is and will be no traffic on 192.168.6.2.
> 
> What I've tried to say (and probably failed), is that we have a network
> card in the machine, where the result is always access denied (with the
> correct server IP address set for that NIC).
> 
> 
> > Your KDC should be logging something when this fails and the traffic you'd
> > need to look at is the traffic between the NFS server and the KDC. (I'd use
> > wireshark, since it probably knows a fair bit about Kerberos.)
> 
> Thank you, I will give it a try.
> 
> Kind regards,
>  Herbert

When something in software works fine with one NIC but not another
(nearly-) identical one, the first thing that comes to my mind is that
the MAC address on the card is being used by the software as a sort of
UUID.  I had that happen with a commercial software once; when I changed
NICs in the machine the software stopped working and said it wasn't
registered on that machine.  (I would have been annoyed except this
sophisticed "security system" was circumvented by deleting a file that
wasn't even hard to find, and it automatically re-authorized itself on
the next run using the new MAC address.)

-- Ian





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1340913681.1110.84.camel>