Date: Tue, 04 Sep 2012 15:09:26 +0200 From: Herbert Poeckl <freebsdml@ist.tugraz.at> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied Message-ID: <5045FD86.7060209@ist.tugraz.at> In-Reply-To: <233953231.1437527.1346700338839.JavaMail.root@erie.cs.uoguelph.ca> References: <233953231.1437527.1346700338839.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/03/2012 09:25 PM, Rick Macklem wrote: > Herbert Poeckl wrote: >> On 6/25/12 1:21 PM, Herbert Poeckl wrote: >>> We are getting access denied error on our debian clients when >>> mounting >>> nfsv4 network drives with kerberos 5 authentication. >>> >>> What is wired about this, is that it works with one server, but not >>> with >>> a second server. >> [..] >> >> For the records: >> >> The problem was fixed in this post: >> http://lists.freebsd.org/pipermail/freebsd-fs/2012-August/015047.html >> > Ok, so are you saying that the patch in Attila's email fixed your problem? Yes it does. Sorry I missed your following post to his message. > If so, please try the attached patch. (It doesn't set the client security > handle stale when DESTROY fails, due to an invalid encrypted checksum. It > is similar to his patch, but only for the DESTROY case, which seems to be > ok to do from my understanding of the RPCSEC_GSS. It doesn't include the > timer changes, which shouldn't affect the outcome from afaik.) Just tried your patch, and it fixes the problem too. > To consider the client security handle still valid when a data (real RPC > in the message) phase entry fails the encrypted checksum seems riskier to > do, so I'd like to avoid that in any patch for head. > > rick Kind regards, Herbert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5045FD86.7060209>