From owner-freebsd-stable@FreeBSD.ORG  Mon Jun 25 11:52:57 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E87D9106567D
	for <freebsd-stable@FreeBSD.org>; Mon, 25 Jun 2012 11:52:57 +0000 (UTC)
	(envelope-from freebsdml@ist.tugraz.at)
Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202])
	by mx1.freebsd.org (Postfix) with ESMTP id 928AD8FC0C
	for <freebsd-stable@FreeBSD.org>; Mon, 25 Jun 2012 11:52:57 +0000 (UTC)
Received: from ist.tugraz.at (proxy-music.ist.tu-graz.ac.at [129.27.202.111])
	(authenticated bits=0)
	by mailrelay2.tugraz.at (8.14.4/8.14.4) with ESMTP id q5PBLJFM029226
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-stable@FreeBSD.org>; Mon, 25 Jun 2012 13:21:19 +0200 (CEST)
X-DKIM: Sendmail DKIM Filter v2.8.3 mailrelay2.tugraz.at q5PBLJFM029226
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at;
	s=mailrelay; t=1340623280; i=@ist.tugraz.at;
	bh=+sO2zwZGRHhh9VTJXR4J0GshfBxFDTIK2RedxZG47tA=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type:
	Content-Transfer-Encoding;
	b=L4Nm9JSIpO3ioQmcgXN1OHiNYUKQL0D5s4zqrN2zV+b3ErvTed1e+Y69qtJiYAeFG
	pwkR6ttOnu7TN/0ZZlkNCpLqhh7wAitJioec6r156iBaF8J2yttMmctN+v4fMHSmNY
	rl5J/chD1qmIZ4GX5oID6bQsDPB3qYYqbAQPC2A0=
Received: (qmail 68120 invoked from network); 25 Jun 2012 11:21:18 -0000
Received: from unknown (HELO ?192.168.1.35?) (129.27.202.101)
	by ist.tugraz.at with SMTP; 25 Jun 2012 11:21:18 -0000
Message-ID: <4FE849AE.3080902@ist.tugraz.at>
Date: Mon, 25 Jun 2012 13:21:18 +0200
From: Herbert Poeckl <freebsdml@ist.tugraz.at>
Organization: TU Graz / IST
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.16) Gecko/20120506 Icedove/3.0.11
MIME-Version: 1.0
To: freebsd-stable@FreeBSD.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-TUG-Backscatter-control: 5S3planrQ0lSnmWIva+Lkw
X-Spam-Scanner: SpamAssassin 3.003000 
X-Spam-Score-relay: 0.0
X-Scanned-By: MIMEDefang 2.70 on 129.27.10.19
Cc: 
Subject: Need help with nfsv4 and krb5 access denied
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2012 11:52:58 -0000

Hi everybody.

We are new to this list and need technical help.

We are getting access denied error on our debian clients when mounting
nfsv4 network drives with kerberos 5 authentication.

What is wired about this, is that it works with one server, but not with
a second server. The configuration on these both machines are identical,
witch we have tested by booting from the same USB drive.

The one where it works on is a Intel based standard workstation (HP
DC7800). The machine where it does not work is a AMD Opteron based
server (Sun X4540). Any other kerberos authentication (like smb and
netatalk) works fine.

We basically followed these instructions:
http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

Our system configuration looks as follows:
-- 8< ----------------------------------------- >8 --
root@tmp2:/root # uname -a
FreeBSD tmp2.ist.intra 9.0-STABLE FreeBSD 9.0-STABLE #4: Thu Jun 14
08:58:14 UTC 2012     root@srv.ist.intra:/usr/obj/system/usr/src/sys/SRV
 amd64


root@tmp2:/root #  diff /usr/src/sys/amd64/conf/GENERIC
/usr/src/sys/amd64/conf/SRV
348a349,354
>
>
> options               KGSSAPI
> device                crypto
>
> options               NETATALK


root@tmp2:/root # cat /etc/krb5.conf
[libdefaults]
        default_realm = IST.INTRA
        forwardable = true
        proxiable = true


root@tmp2:/root # ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
  1  aes256-cts-hmac-sha1-96  nfs/tmp2.ist.intra@IST.INTRA
  1  des3-cbc-sha1            nfs/tmp2.ist.intra@IST.INTRA
  1  arcfour-hmac-md5         nfs/tmp2.ist.intra@IST.INTRA

ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No
such file or directory


root@tmp2:/root # cat /etc/exports

V4: /tmp -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0
/tmp/blah -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0
root@tmp2:/root #



root@tmp2:/root # less /var/run/dmesg.boot
FreeBSD 9.0-STABLE #4: Thu Jun 14 08:58:14 UTC 2012
    root@srv.ist.intra:/usr/obj/system/usr/src/sys/SRV amd64
CPU: Six-Core AMD Opteron(tm) Processor 2435 (2600.16-MHz K8-class CPU)
  Origin = "AuthenticAMD"  Id = 0x100f80  Family = 10  Model = 8
Stepping = 0

Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x802009<SSE3,MON,CX16,POPCNT>
  AMD
Features=0xee500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM,3DNow!+,3DNow!>
  AMD
Features2=0x37ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT>
  TSC: P-state invariant
-- 8< ----------------------------------------- >8 --

Any help is greatly appreciated.

Kind regards,
 Herbert Poeckl