On Thu, 11 Nov 2010 13:44:55 +0100 Thomas Sailer <sai...@sailer.dynip.lugs.ch> wrote:
> Since I upgraded about two days ago from a fully up-to-date and > working Fedora13 system to Fedora14, I am unable to mount the krb5p > nfs4 shares of the freeipa server (which is itself running a fully > up-to-date Fedora12). > > rpc.gssd on the client reports the following: > > beginning poll > dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00 > dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800 > dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0 > handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38) > handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38) > process_krb5_upcall: service is '<null>' > Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx' > Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx' > Key table entry not found while getting keytab entry for > 'root/clnt.xxxx....@xxxx.xxx' Success getting keytab entry for > 'nfs/clnt.xxxx....@xxxx.xxx' Successfully obtained machine > credentials for principal 'nfs/clnt.xxxx....@xxxx.xxx' stored in > ccache 'FILE:/tmp/krb5cc_machine_XXXX.XXX' INFO: Credentials in CC > 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734 using > FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine > creds using environment variable to select krb5 ccache > FILE:/tmp/krb5cc_machine_XXXX.XXX creating context using fsuid 0 > (save_uid 0) creating tcp client for server server.xxxx.xxx DEBUG: > port already set to 2049 creating context with server > n...@server.xxxx.xxx WARNING: Failed to create krb5 context for user > with uid 0 for server server.xxxx.xxx WARNING: Failed to create > machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx WARNING: > Machine cache is prematurely expired or corrupted trying to recreate > cache for server server.xxxx.xxx Full hostname for 'server.xxxx.xxx' > is 'server.xxxx.xxx' Full hostname for 'clnt.xxxx.xxx' is > 'clnt.xxxx.xxx' Key table entry not found while getting keytab entry > for 'root/clnt.xxxx....@xxxx.xxx' Success getting keytab entry for > 'nfs/clnt.xxxx....@xxxx.xxx' INFO: Credentials in CC > 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734 INFO: > Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until > 1289651734 using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials > cache for machine creds using environment variable to select krb5 > ccache FILE:/tmp/krb5cc_machine_XXXX.XXX creating context using fsuid > 0 (save_uid 0) creating tcp client for server server.xxxx.xxx DEBUG: > port already set to 2049 creating context with server > n...@server.xxxx.xxx WARNING: Failed to create krb5 context for user > with uid 0 for server server.xxxx.xxx WARNING: Failed to create > machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx WARNING: > Failed to create machine krb5 context with any credentials cache for > server server.xxxx.xxx doing error downcall dir_notify_handler: sig > 37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 > si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si > 0x7fff99e82f30 data 0x7fff99e82e00 dir_notify_handler: sig 37 si > 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si > 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si > 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si > 0x7fff99e7dfb0 data 0x7fff99e7de80 destroying > client /var/lib/nfs/rpc_pipefs/nfs/clnt39 destroying > client /var/lib/nfs/rpc_pipefs/nfs/clnt38 > > I need to downgrade the kernel and krb5* to the Fedora13 version to > get nfs4 working again. > > Does anybody have an idea why it no longer works? > > What is the current party line with respect to nfs4 encryption types? > The admin guide on the freeipa web page still requires des-cbc-crc. > But MIT Kerberos seems to become increasingly hostile against des. > And yes, I do have allow_weak_crypto = true in krb5.conf/libdefaults Starting with F14 you can use any crypto for NFS. However DES should still just work if you have a DES key. This looks like a kernel/rpc.gssd bug, I would file a ticket against those components. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
