Re: [Freeipa-users] Problem with Kerberised NFS mount
On Jul 12, 2013, at 3:02 PM, Rob Crittenden rcrit...@redhat.com wrote: Chuck Lever wrote: On Jul 12, 2013, at 2:43 PM, Ondrej Valousek ovalou...@vendavo.com mailto:ovalou...@vendavo.com wrote: Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Anyone? Ask on linux-...@vger.kernel.org mailto:linux-...@vger.kernel.org. I know upstream is working on this problem. https://fedorahosted.org/gss-proxy/ will solve the problem. Only for renewable tickets that gss-proxy renews. If a use has a non-renewable ticket, then the problem still exists. I'm working on a set of GSS expiry patches and I'll make sure this problem is solved in the kernel. --Andy rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote: On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote: F19 has GSS proxy. I encourage you to use it. I know it was tried and worked as several bugs have been addressed. Gunther CCed will be back from PTO next week and should be able to help. Is the GSS proxy configured by ipa-client-automount? No, gssproxy is quite new and we do not configure it by default at this stage. It has been tested only with NFS (both server and client) on Fedora 19. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Fri, 2013-07-12 at 19:16 +, Adamson, Andy wrote: On Jul 12, 2013, at 3:02 PM, Rob Crittenden rcrit...@redhat.com wrote: Chuck Lever wrote: On Jul 12, 2013, at 2:43 PM, Ondrej Valousek ovalou...@vendavo.com mailto:ovalou...@vendavo.com wrote: Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Anyone? Ask on linux-...@vger.kernel.org mailto:linux-...@vger.kernel.org. I know upstream is working on this problem. https://fedorahosted.org/gss-proxy/ will solve the problem. Only for renewable tickets that gss-proxy renews. If a use has a non-renewable ticket, then the problem still exists. I'm working on a set of GSS expiry patches and I'll make sure this problem is solved in the kernel. Just to avoid confusion. GSS-Proxy doesn't really handle renews at this stage (except as a a possible side effect of GSSAPI doing it under the hood on its own), it only handles acquiring new credentials using keytabs or using existing valid credentials from a standard ccache pre-populated by the user. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote: On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote: On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote: F19 has GSS proxy. I encourage you to use it. I know it was tried and worked as several bugs have been addressed. Gunther CCed will be back from PTO next week and should be able to help. Is the GSS proxy configured by ipa-client-automount? No, gssproxy is quite new and we do not configure it by default at this stage. It has been tested only with NFS (both server and client) on Fedora 19. Simo. Where might I find instructions on how to configure the GSS proxy for use with IPA and automount? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem with Kerberised NFS mount
Hello everyone, I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below. My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues. These are my NFS exports, which are visible both locally and remotely with showmount -e:- [root@server ~]# exportfs -av exporting gss/krb5:/home exporting gss/krb5i:/home exporting gss/krb5p:/home The command mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem. I read in a post that the serializing key with enctype 18 and size 32 entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal: [root@server etc]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal - 12 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 22 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 32 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 42 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 55 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) My versions are: Fedora 17 (kernel 3.8.13-100.fc17.x86_64) FreeIPA 2.2.2 krb5 1.10.2 nfs-utils 1.2.6 I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log Here is my syslog output when attempt the mount: Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0 Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 'null' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 'root/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0) Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049 Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server n...@server.wasielewski.co.uk Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co...@wasielewski.co.uk Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version! Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1 Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall Jul 12 01:13:10
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Fri, 2013-07-12 at 14:51 +, Ondrej Valousek wrote: Hard to say. In general, when dealing w/ nfs kerberos, I would advise to: ● Upgrade to the latest fedora ● Make sure idmapper is configured and working fine ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys). 3des makes little sense, it is the least used enctype. If you want to be backwards compatible with old kernels you'll have to stick with DES (not 3DES) which is utterly insecure these days. Otherwise go straight to AES and don't look back. Support for AES is available since quite a few fedora release and RHEL6 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with Kerberised NFS mount
Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Anyone? O. Odesláno ze Samsung Mobile Původní zpráva Od: Ondrej Valousek ovalou...@vendavo.com Datum: Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount Hard to say. In general, when dealing w/ nfs kerberos, I would advise to: ● Upgrade to the latest fedora ● Make sure idmapper is configured and working fine ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys). Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Andrew Wasielewski and...@wasielewski.co.uk Datum: Komu: freeipa-users@redhat.com Předmět: [Freeipa-users] Problem with Kerberised NFS mount Hello everyone, I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below. My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues. These are my NFS exports, which are visible both locally and remotely with showmount -e:- [root@server ~]# exportfs -av exporting gss/krb5:/home exporting gss/krb5i:/home exporting gss/krb5p:/home The command mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem. I read in a post that the serializing key with enctype 18 and size 32 entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal: [root@server etc]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal - 1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) My versions are: Fedora 17 (kernel 3.8.13-100.fc17.x86_64) FreeIPA 2.2.2 krb5 1.10.2 nfs-utils 1.2.6 I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log Here is my syslog output when attempt the mount: Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0 Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 'null' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 'root/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0) Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Jul 12, 2013, at 2:43 PM, Ondrej Valousek ovalou...@vendavo.com wrote: Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Anyone? Ask on linux-...@vger.kernel.org. I know upstream is working on this problem. O. Odesláno ze Samsung Mobile Původní zpráva Od: Ondrej Valousek ovalou...@vendavo.com Datum: Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount Hard to say. In general, when dealing w/ nfs kerberos, I would advise to: ● Upgrade to the latest fedora ● Make sure idmapper is configured and working fine ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys). Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Andrew Wasielewski and...@wasielewski.co.uk Datum: Komu: freeipa-users@redhat.com Předmět: [Freeipa-users] Problem with Kerberised NFS mount Hello everyone, I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below. My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues. These are my NFS exports, which are visible both locally and remotely with showmount -e:- [root@server ~]# exportfs -av exporting gss/krb5:/home exporting gss/krb5i:/home exporting gss/krb5p:/home The command mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem. I read in a post that the serializing key with enctype 18 and size 32 entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal: [root@server etc]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal - 1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) My versions are: Fedora 17 (kernel 3.8.13-100.fc17.x86_64) FreeIPA 2.2.2 krb5 1.10.2 nfs-utils 1.2.6 I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log Here is my syslog output when attempt the mount: Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0 Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 'null' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 'root/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds Jul 12 01:13
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Jul 12, 2013, at 2:43 PM, Ondrej Valousek ovalou...@vendavo.commailto:ovalou...@vendavo.com wrote: Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Hi I'm looking into Kerberized NFS client issues and bugs. I'll be sure to add this to my todo list. Do you know if anyone has tried with the latest upstream kernel? --Andy Anyone? O. Odesláno ze Samsung Mobile Původní zpráva Od: Ondrej Valousek ovalou...@vendavo.commailto:ovalou...@vendavo.com Datum: Komu: and...@wasielewski.co.ukmailto:and...@wasielewski.co.uk,freeipa-users@redhat.commailto:freeipa-users@redhat.com Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount Hard to say. In general, when dealing w/ nfs kerberos, I would advise to: ● Upgrade to the latest fedora ● Make sure idmapper is configured and working fine ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys). Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Andrew Wasielewski and...@wasielewski.co.ukmailto:and...@wasielewski.co.uk Datum: Komu: freeipa-users@redhat.commailto:freeipa-users@redhat.com Předmět: [Freeipa-users] Problem with Kerberised NFS mount Hello everyone, I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below. My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues. These are my NFS exports, which are visible both locally and remotely with showmount -e:- [root@server ~]# exportfs -av exporting gss/krb5:/home exporting gss/krb5i:/home exporting gss/krb5p:/home The command mount -t nfs4 -o sec=krb5 server.wasielewski.co.ukhttp://server.wasielewski.co.uk:/home /mnt/test_mnt hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem. I read in a post that the serializing key with enctype 18 and size 32 entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal: [root@server etc]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal - 1 2 host/server.wasielewski.co...@wasielewski.co.ukmailto:host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 2 2 host/server.wasielewski.co...@wasielewski.co.ukmailto:host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 3 2 host/server.wasielewski.co...@wasielewski.co.ukmailto:host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 4 2 host/server.wasielewski.co...@wasielewski.co.ukmailto:host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 5 5 nfs/server.wasielewski.co...@wasielewski.co.ukmailto:nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) My versions are: Fedora 17 (kernel 3.8.13-100.fc17.x86_64) FreeIPA 2.2.2 krb5 1.10.2 nfs-utils 1.2.6 I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log Here is my syslog output when attempt the mount: Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0 Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 'null' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.ukhttp://server.wasielewski.co.uk' is 'server.wasielewski.co.ukhttp://server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.ukhttp://server.wasielewski.co.uk' is 'server.wasielewski.co.ukhttp://server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UKmailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UKmailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co...@wasielewski.co.ukmailto:root
Re: [Freeipa-users] Problem with Kerberised NFS mount
On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote: F19 has GSS proxy. I encourage you to use it. I know it was tried and worked as several bugs have been addressed. Gunther CCed will be back from PTO next week and should be able to help. Is the GSS proxy configured by ipa-client-automount? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users