After upgrading FreeIPA from FC14/FreeIPAv1 to FC16/FreeIPAv2, secure NFSv4 mounts do not work anymore. V2 is basically a reinstalled FreeIPA server with user data migrated from v1, and host keys etc. recreated.

I get the following when trying to mount:
# mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p server.xxxxx.com:/yyyyy z
mount.nfs4: access denied by server while mounting server.xxxxx.com:/yyyyy

On the client, rpc.gssd reports:
Warning: rpcsec_gss library does not support setting debug level
beginning poll
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f1570 data 0x7fff5f5f1440
dir_notify_handler: sig 37 si 0x7fff5f5f0df0 data 0x7fff5f5f0cc0
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a)
process_krb5_upcall: service is '<null>'
Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com'
Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com'
No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' No key table entry found for root/client.xxxxx....@xxxxx.com while getting keytab entry for 'root/client.xxxxx....@xxxxx.com'
Success getting keytab entry for 'nfs/client.xxxxx....@xxxxx.com'
Successfully obtained machine credentials for principal 'nfs/client.xxxxx....@xxxxx.com' stored in ccache 'FILE:/tmp/krb5cc_machine_XXXXX.COM' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXXX.COM
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxxx.com
DEBUG: port already set to 2049
creating context with server n...@server.xxxxx.com
WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxxx.com WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.xxxxx.com
Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com'
Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com'
No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' No key table entry found for root/client.xxxxx....@xxxxx.com while getting keytab entry for 'root/client.xxxxx....@xxxxx.com'
Success getting keytab entry for 'nfs/client.xxxxx....@xxxxx.com'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXXX.COM
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxxx.com
DEBUG: port already set to 2049
creating context with server n...@server.xxxxx.com
WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxxx.com WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com WARNING: Failed to create machine krb5 context with any credentials cache for server server.xxxxx.com
doing error downcall
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3b
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3a

And on the server, rpc.svcgssd reports:
leaving poll
handling null request
svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from defaults
sname = nfs/client.xxxxx....@xxxxx.com
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc4121_buffer: protocol 1
prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
doing downcall
mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from now), clnt: n...@client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0:
sending null reply
writing message: \x \x6082....\x6081....
entering poll
leaving poll
handling null request
svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from defaults
sname = nfs/client.xxxxx....@xxxxx.com
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc4121_buffer: protocol 1
prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
doing downcall
mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from now), clnt: n...@client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0:
sending null reply
writing message: \x \x6082.... 1321470174 0 0 \x02000000 \x6081....
finished handling null request
entering poll

Does anyone have an idea what went wrong? The client is also FC16, and it worked against the FC14/FreeIPAv1 server.

Tom

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to