Re: Need help with nfsv4 and krb5 access denied
Hi Rick, thank you very much for answering. On 06/26/2012 02:17 AM, Rick Macklem wrote: Herbert Poeckl wrote: Hi everybody. We are new to this list and need technical help. We are getting access denied error on our debian clients when mounting nfsv4 network drives with kerberos 5 authentication. What is wired about this, is that it works with one server, but not with a second server. The configuration on these both machines are identical, witch we have tested by booting from the same USB drive. Ok, if I understand you correctly, you are booting the 2 machines using the same USB root disk? This is correct. As you can guess, it is for testing purpose only. Are they using DHCP to configure their network? (I'm just checking, since they would need to boot as the same hostname and IP address, if they are using the same /etc/krb5.keytab file. ie. They must both think they are: tmp2.ist.intra@IST.INTRA including name-IP# resolution (/etc/hosts, DNS, or ???) If they are the same host, then the only other thought is to make sure that their Time of Day clocks are correctly set. The hosts IP address is set statically. Name resolution is done with DNS, see keylog below[1]. Time is synchronized on system startup against a local time server. One simple check you can do on the server to confirm that the keytab entry is ok is to do: # kinit -k nfs/tmp2.ist.intra@IST.INTRA and make sure it can put an entry in root's credential cache from the keytab. We performed a check. The output seem right, as you can see in [2]. Is there anything else we can check? Beyond that, I have no idea why one would work and the other not. (I always avoid multiple encryption types for keytabs, since I've seen Heimdal get confused about which one to use, but that normally happened to me when I was trying to get initiator credentials from a keytab entry.) Reducing the encryptin type to only one (des3-cbc-sha1) did not change the result. Hopefully someone else conversant with kerberos can help, rick [1] --- 8 8 --- root@tmp2:/root # hostname tmp2.ist.intra root@tmp2:/root # ifconfig INT INT: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c219bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO,LINKSTATE ether 00:21:28:45:c3:be inet 192.168.1.164 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::221:28ff:fe45:c3be%INT prefixlen 64 scopeid 0x3 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (1000baseT full-duplex) status: active root@tmp2:/root # host tmp2.ist.intra tmp2.ist.intra has address 192.168.1.164 root@tmp2:/root # host 192.168.1.164 164.1.168.192.in-addr.arpa domain name pointer tmp2.ist.intra. --- 8 8 --- [2] --- 8 8 --- root@tmp2:/root # kinit -k nfs/tmp2.ist.intra root@tmp2:/root # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: nfs/tmp2.ist.intra@IST.INTRA Issued Expires Principal Jun 26 08:34:10 Jun 26 18:34:04 krbtgt/IST.INTRA@IST.INTRA root@tmp2:/root # --- 8 8 --- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Strange reboot
on 26/06/2012 22:25 Alexander Yerenkow said the following: g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 Looks like a problem writing to the media... -- Andriy Gapon ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Strange reboot
2012/6/27 Andriy Gapon a...@freebsd.org: on 26/06/2012 22:25 Alexander Yerenkow said the following: g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 g_vfs_done():da2s1[WRITE(offset=3227648, length=4096)]error = 5 Looks like a problem writing to the media... That would be fine with me - but why panic, or restart? :)) I didn't even make some load , just tried mount in rw. Also, under windows this media (with exact same microSD=SD converter) works just fine (wrote few big files, read them, verified. I'll fetch monitor, will provide more data a bit later. -- Andriy Gapon -- Regards, Alexander Yerenkow ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
new desktop box
Dear list! This evening my 7 years old node powers down for it's own sake. After a bit of panic, I made a decision to get new box. Regarding fast development of hardware, I cannot choose what is the correct way to go. For long time I use AMD and would like to have another one, but would listen to advice, if proves better to have intel. What are features I'd like: - to be silent and cold - to stay on not-expensive side Finally, questions. Phenom II 1100 or something else? Mobo for said cpu with eth, well working with freebsd? Graphical card, silent, that would work with amd64, branch 9? No games, nothing fancy. To last next few years. I plan to com- pile kernel or two. Half of usage is in console, startx then. I will give additional information for my taste, if needed. Best regards Zoran ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: new desktop box
On Wed, Jun 27, 2012 at 6:37 PM, Zoran Kolic zko...@sbb.rs wrote: Dear list! This evening my 7 years old node powers down for it's own sake. After a bit of panic, I made a decision to get new box. Regarding fast development of hardware, I cannot choose what is the correct way to go. For long time I use AMD and would like to have another one, but would listen to advice, if proves better to have intel. What are features I'd like: - to be silent and cold - to stay on not-expensive side Finally, questions. Phenom II 1100 or something else? Mobo for said cpu with eth, well working with freebsd? Graphical card, silent, that would work with amd64, branch 9? No games, nothing fancy. To last next few years. I plan to com- pile kernel or two. Half of usage is in console, startx then. I will give additional information for my taste, if needed. Best regards Zoran You did not specify what expensive is to you, nor if you want prebuilt or if you want to assemble it yourself. I'd go with Intel today. We just got Dell Vostro 460 desktops, with Intel core i5-2400 cpu with integrated graphics. Works really good, almost quiet. You would need to go with 9-stable and use new xorg though, so once X is started, you would lose console. The only bad thing is perhaps the ethernet, it's some lousy RTL8111/8168B PCI Express Gigabit Ethernet controller If you want a few hdds the chassi is not that good. Regards Andreas ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: new desktop box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/27/2012 10:37 AM, Zoran Kolic wrote: Dear list! This evening my 7 years old node powers down for it's own sake. After a bit of panic, I made a decision to get new box. Regarding fast development of hardware, I cannot choose what is the correct way to go. For long time I use AMD and would like to have another one, but would listen to advice, if proves better to have intel. What are features I'd like: - to be silent and cold - to stay on not-expensive side Finally, questions. Phenom II 1100 or something else? Mobo for said cpu with eth, well working with freebsd? Graphical card, silent, that would work with amd64, branch 9? No games, nothing fancy. To last next few years. I plan to com- pile kernel or two. Half of usage is in console, startx then. I will give additional information for my taste, if needed. Best regards Zoran ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org For me I have had more problems with cheap (even expensive) mobo's than with either CPU type. I like the i5 offering where the CPU can spike one core clock up to speed things up. Seems like the best of both worlds, when you need multiprocessor speed you have it, when one process needs more it can also have it. As far as silent it has been all about fan choice. I custom build all mine so I can pick and choose the features I want in case/fans/etc. Thanks, Robert - -- Robert Comstock Comstock RD, Inc. Lead Engineer Phone: 208-652-0145 Cell: 208-360-0627 Email: rob...@comstockrd.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJP6z5KAAoJELeYg2LwVZsKTikIAJADQeuVnicpwDbMhrc/XgZM Q7BfjDZQGnJSRHm+xXSnR2Cq9c2sraubbqDJ92zZHYsNS68cq0yGJ0aA/+DTExSR z7zTEdodU4i3D9ljeBBB7BtZlEeRaSowLKKZY73Psfoun0ZyxZ/fxyEXHgQZy92T 6GMNf9rhTG3OtEUlc90Oq5UvFB2g6nKZ/LphMEFgSaVjlf5d6YeprAe/6V5bamWY 5/+lprzYTF3XbqmGB8/c5i4uVuevhdK0XnH587WBi3NsN3zZPOxF2e9TgTVx4kjQ V7eZc0uzxuWpYX0zqtJL85uV70lVN3x+S9fmYwYW3Qf0erdNJi+ii4T6Z0Tj+ao= =4q6e -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Panic when deleting data on ZFS pool
Hello, I have a FreeBSD 9-STABLE box (world built today) that panics whenever I try to delete data using rm on my ZFS pool. This occurred on the same system with a world that was about a month old. Generic kernel and pretty vanilla system. I can consistently reproduce this. I can't see that there's anything funny about the data. I run a zpool scrub weekly and it ran two days ago without errors. This issue was present before and after this. Additionally, I haven't seen anything in my logs that indicate failing drives, but I haven't ran a long smartctl test for a while. The system has 16 GB of RAM and I'm not doing anything special for tuning ZFS. The ZFS pool does use compression. I do have crash dumps enabled, if that helps, and would be happy to provide any further detail and information. Redoing the filesystem is an option, as the data is just duplicate backup data and can easily be restored. Any insight on this? I did see a similar posting to -questions from a while ago, but it wasn't conclusive. Thanks, Josh Here's the relevant panic log: Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 05 fault virtual address = 0x160 fault code = supervisor read data, page not present instruction pointer = 0x20:0x816bbbe6 stack pointer = 0x28:0xff8465f22870 frame pointer = 0x28:0xff8465f22930 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags= interrupt enabled, resume, IOPL = 0 current process = 1646 (rm) trap number = 12 panic: page fault cpuid = 3 KDB: stack backtrace: #0 0x8091c836 at kdb_backtrace+0x66 #1 0x808e67ee at panic+0x1ce #2 0x80bd39c0 at trap_fatal+0x290 #3 0x80bd3cfd at trap_pfault+0x1ed #4 0x80bd431e at trap+0x3ce #5 0x80bbef1f at calltrap+0x8 #6 0x80c637e4 at VOP_REMOVE_APV+0x34 #7 0x8098300d at kern_unlinkat+0x32d #8 0x80bd3270 at amd64_syscall+0x590 #9 0x80bbf207 at Xfast_syscall+0xf7 Uptime: 4m50s ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Need help with nfsv4 and krb5 access denied
Hallo everyone, we did more testing on this topic. After we found a few hosts, basically HP desktop workstation with Intel onboard NICs, that worked and more hosts that didn't work, we placed a second PCI based NIC into one of the hosts that worked. The surprising result is: With the onboard NIC nfs kerberos mount works fine. When the second NIC takes over, we get a access denied! Here is the keylog of what we did. A few explanations: em0 is the embedded onboard card, em1 is the PCI card we plugged into the machine[1]. 192.168.1.164 is the IP address the server is configured for (which is tmp2.ist.intra in our DNS resolution). 192.168.6.2 is just a placeholder address. Both NICs are connected to the same switch (there is no firewall or VPN configured). The system boots up with em0 as 192.168.1.164 and em1 as 192.168.6.2.[2] This is the configuration that works, see also the attached tcpdump on that interface[5]. Now we change the IP addresses of em0 to the placeholder address and em1 to the servers address and proof that the name resolution is still available[3]. This is were we get a access denied on the linux nfs client, see tcpdump[6]. When we switch the IP addresses back[4], everything starts working again. Please note: It doesn't make any difference if we configure em1 as the server IP address and em0 as placeholder at startup time, the result is the same. We do hope that the dump is of any use. If not, or if there are better ways to debug the problem, your help would be welcome. King regards, Herbert Poeckl [1] --- 8 8 --- root@tmp2:/root # dmesg | grep em0 em0: Intel(R) PRO/1000 Network Connection 7.3.2 port 0x3100-0x311f mem 0xf310-0xf311,0xf3125000-0xf3125fff irq 19 at device 25.0 on pci0 em0: Using an MSI interrupt em0: Ethernet address: 00:0f:fe:e7:1c:ae em0: link state changed to UP root@tmp2:/root # dmesg | grep em1 em1: Intel(R) PRO/1000 Legacy Network Connection 1.0.4 port 0x1100-0x113f mem 0xf304-0xf305,0xf300-0xf303 irq 20 at device 4.0 on pci7 em1: Ethernet address: 00:1b:21:00:8b:2b em1: link state changed to UP --- 8 8 --- [2] --- 8 8 --- root@tmp2:/root # grep em0 /etc/rc.conf ifconfig_em0=inet 192.168.1.164 netmask 255.255.255.0 root@tmp2:/root # grep em1 /etc/rc.conf ifconfig_em1=inet 192.168.6.2 netmask 255.255.255.0 root@tmp2:/root # grep defaultrouter /etc/rc.conf defaultrouter=192.168.1.1 root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8 8 --- [3] --- 8 8 --- root@tmp2:/root # ifconfig em0 192.168.6.2 netmask 255.255.255.0 ; ifconfig em1 192.168.1.164 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net :::0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net :::0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 root@tmp2:/root # root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8 8 --- [4] --- 8 8 --- root@tmp2:/root # ifconfig em0 192.168.1.164 netmask 255.255.255.0 ; ifconfig em1 192.168.6.2 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net :::0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net :::0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 root@tmp2:/root # --- 8 8 --- [5] tcpdump(1) working: --- 8 8 --- 15:47:21.151932 ARP, Request who-has 192.168.1.164 tell 192.168.1.40, length 46 15:47:21.151937 ARP, Reply 192.168.1.164 is-at 00:0f:fe:e7:1c:ae, length 28 15:47:21.152065 IP 192.168.1.40.863 192.168.1.164.2049: Flags [S], seq 2632408361, win 14600, options [mss 1460,sackOK,TS val 22818996 ecr 0,nop,wscale 6], length 0 15:47:21.152077 IP 192.168.1.164.2049 192.168.1.40.863: Flags [S.], seq 1896997472, ack 2632408362, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 320086661 ecr 22818996], length 0 15:47:21.152196 IP 192.168.1.40.863 192.168.1.164.2049: Flags [.], ack 1, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0 15:47:21.152213 IP 192.168.1.40.2561817139 192.168.1.164.2049: 40 null 15:47:21.152237 IP 192.168.1.164.2049 192.168.1.40.863: Flags [.], ack 45, win 29127, options [nop,nop,TS val 320086661 ecr 22818996], length 0 15:47:21.152250 IP
Re: new desktop box
AMD and Intel both have good CPU offerings. Both have a turbo feature to improve single core workloads. The real question is which video card do you want to use? Both have integrated solutions now or you could pick a discrete card. I personally go amd but buy nvidia cards as there are binary drivers. Amd's newer cards are not supported by x11 well under bsd. If you go with an on CPU gpu (APU) this is an intel only scenario. Amd chips are cheaper but you need a video card too. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: new desktop box
On Wed, 27 Jun 2012, Lucas Holt wrote: AMD and Intel both have good CPU offerings. Both have a turbo feature to improve single core workloads. The real question is which video card do you want to use? Both have integrated solutions now or you could pick a discrete card. I personally go amd but buy nvidia cards as there are binary drivers. Amd's newer cards are not supported by x11 well under bsd. If you go with an on CPU gpu (APU) this is an intel only scenario. Amd chips are cheaper but you need a video card too. ___ The Core i5 processors cost more (sometimes a lot more), but dominate AMD in benchmarks. FreeBSD also has/will have support for the open Intel video driver. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Need help with nfsv4 and krb5 access denied
Herbert Poeckl wrote: Hallo everyone, we did more testing on this topic. After we found a few hosts, basically HP desktop workstation with Intel onboard NICs, that worked and more hosts that didn't work, we placed a second PCI based NIC into one of the hosts that worked. The surprising result is: With the onboard NIC nfs kerberos mount works fine. When the second NIC takes over, we get a access denied! Here is the keylog of what we did. A few explanations: em0 is the embedded onboard card, em1 is the PCI card we plugged into the machine[1]. 192.168.1.164 is the IP address the server is configured for (which is tmp2.ist.intra in our DNS resolution). 192.168.6.2 is just a placeholder address. Both NICs are connected to the same switch (there is no firewall or VPN configured). Ok, from my limited knowledge of Kerberos, here is how I understand that a host based keytab entry is used. The NFS server will authenticate nfs/tmp2.ist.intra against the Kerberos KDC, using the information in the keytab entry. The whole idea behind a host based principal like nfs/tmp2.ist.intra is that it can only be used by the host tmp2.ist.intra. As such, when the Kerberos KDC receives an auathentication request for nfs/tmp2.ist.intra, it will DNS resolve tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to the IP address the authentication request is received from. I think this means the KDC will fail the request if it is sent to the KDC from 192.168.6.2. Your KDC should be logging something when this fails and the traffic you'd need to look at is the traffic between the NFS server and the KDC. (I'd use wireshark, since it probably knows a fair bit about Kerberos.) My guess is that this is what is causing your failure, rick The system boots up with em0 as 192.168.1.164 and em1 as 192.168.6.2.[2] This is the configuration that works, see also the attached tcpdump on that interface[5]. Now we change the IP addresses of em0 to the placeholder address and em1 to the servers address and proof that the name resolution is still available[3]. This is were we get a access denied on the linux nfs client, see tcpdump[6]. When we switch the IP addresses back[4], everything starts working again. Please note: It doesn't make any difference if we configure em1 as the server IP address and em0 as placeholder at startup time, the result is the same. We do hope that the dump is of any use. If not, or if there are better ways to debug the problem, your help would be welcome. King regards, Herbert Poeckl [1] --- 8 8 --- root@tmp2:/root # dmesg | grep em0 em0: Intel(R) PRO/1000 Network Connection 7.3.2 port 0x3100-0x311f mem 0xf310-0xf311,0xf3125000-0xf3125fff irq 19 at device 25.0 on pci0 em0: Using an MSI interrupt em0: Ethernet address: 00:0f:fe:e7:1c:ae em0: link state changed to UP root@tmp2:/root # dmesg | grep em1 em1: Intel(R) PRO/1000 Legacy Network Connection 1.0.4 port 0x1100-0x113f mem 0xf304-0xf305,0xf300-0xf303 irq 20 at device 4.0 on pci7 em1: Ethernet address: 00:1b:21:00:8b:2b em1: link state changed to UP --- 8 8 --- [2] --- 8 8 --- root@tmp2:/root # grep em0 /etc/rc.conf ifconfig_em0=inet 192.168.1.164 netmask 255.255.255.0 root@tmp2:/root # grep em1 /etc/rc.conf ifconfig_em1=inet 192.168.6.2 netmask 255.255.255.0 root@tmp2:/root # grep defaultrouter /etc/rc.conf defaultrouter=192.168.1.1 root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8 8 --- [3] --- 8 8 --- root@tmp2:/root # ifconfig em0 192.168.6.2 netmask 255.255.255.0 ; ifconfig em1 192.168.1.164 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net :::0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net :::0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 root@tmp2:/root # root@tmp2:/root # host tmp2 tmp2.ist.intra has address 192.168.1.164 --- 8 8 --- [4] --- 8 8 --- root@tmp2:/root # ifconfig em0 192.168.1.164 netmask 255.255.255.0 ; ifconfig em1 192.168.6.2 netmask 255.255.255.0 ; /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net :::0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 add net default: gateway 192.168.1.1 add net :::0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1