Since I upgraded about two days ago from a fully up-to-date and working
Fedora13 system to Fedora14, I am unable to mount the krb5p nfs4 shares
of the freeipa server (which is itself running a fully up-to-date
Fedora12).

rpc.gssd on the client reports the following:

beginning poll
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800
dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
process_krb5_upcall: service is '<null>'
Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx'
Key table entry not found while getting keytab entry for 
'root/clnt.xxxx....@xxxx.xxx'
Success getting keytab entry for 'nfs/clnt.xxxx....@xxxx.xxx'
Successfully obtained machine credentials for principal 
'nfs/clnt.xxxx....@xxxx.xxx' stored in ccache 
'FILE:/tmp/krb5cc_machine_XXXX.XXX'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 
1289651734
using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine creds
using environment variable to select krb5 ccache 
FILE:/tmp/krb5cc_machine_XXXX.XXX
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxx.xxx
DEBUG: port already set to 2049
creating context with server n...@server.xxxx.xxx
WARNING: Failed to create krb5 context for user with uid 0 for server 
server.xxxx.xxx
WARNING: Failed to create machine krb5 context with credentials cache 
FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx
WARNING: Machine cache is prematurely expired or corrupted trying to recreate 
cache for server server.xxxx.xxx
Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx'
Key table entry not found while getting keytab entry for 
'root/clnt.xxxx....@xxxx.xxx'
Success getting keytab entry for 'nfs/clnt.xxxx....@xxxx.xxx'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 
1289651734
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 
1289651734
using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine creds
using environment variable to select krb5 ccache 
FILE:/tmp/krb5cc_machine_XXXX.XXX
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxx.xxx
DEBUG: port already set to 2049
creating context with server n...@server.xxxx.xxx
WARNING: Failed to create krb5 context for user with uid 0 for server 
server.xxxx.xxx
WARNING: Failed to create machine krb5 context with credentials cache 
FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx
WARNING: Failed to create machine krb5 context with any credentials cache for 
server server.xxxx.xxx
doing error downcall
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e82f30 data 0x7fff99e82e00
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt39
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt38

I need to downgrade the kernel and krb5* to the Fedora13 version to get
nfs4 working again.

Does anybody have an idea why it no longer works?

What is the current party line with respect to nfs4 encryption types?
The admin guide on the freeipa web page still requires des-cbc-crc. But
MIT Kerberos seems to become increasingly hostile against des. And yes,
I do have allow_weak_crypto = true in krb5.conf/libdefaults

Thanks,
Tom


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to