Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Wed, 2010-12-08 at 11:00 -0500, Simo Sorce wrote: On Tue, 07 Dec 2010 10:51:55 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: However krb5nfs still does not work, it hangs now (instead of giving me an instantaneous error). Will investigate further. Let us know if you solve this problem. It wasn't really a hang, it terminated after many minutes. I can now mount the nfs4 exports on all clients with krb5p. However, access to the nfs4 exports is quite unreliable, much too unreliable to have home directories on nfs4. When I start gnome, gnome-settings-daemon and many other daemons get stuck in D state, usually somewhere within nfs4_delay. With KDE, a simple sed with destination file in the home directory gets stuck in fchown. So I'm back to nfs3 at the moment. Thanks, Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Tue, 07 Dec 2010 10:51:55 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: Hi Simo, I pushed the patch in git just today :) Your patch indeed helps :) I've adapted it to the fc14 srpm, compiled it, and at least the extop plugin now uses the openldap libraries: http://sailer.fedorapeople.org/ipa-1.2.2-5.fc14.jnx.src.rpm The unreliability of ipa-getkeytab seems now gone, and the krb5 kdc now issues nfs tickets (the ASN.1 parse error is now gone). Great, we will steal your port of the patch and release new Fedora packages then :) However krb5nfs still does not work, it hangs now (instead of giving me an instantaneous error). Will investigate further. Let us know if you solve this problem. Thank you, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: Hi Simo, I pushed the patch in git just today :) Your patch indeed helps :) I've adapted it to the fc14 srpm, compiled it, and at least the extop plugin now uses the openldap libraries: http://sailer.fedorapeople.org/ipa-1.2.2-5.fc14.jnx.src.rpm The unreliability of ipa-getkeytab seems now gone, and the krb5 kdc now issues nfs tickets (the ASN.1 parse error is now gone). However krb5nfs still does not work, it hangs now (instead of giving me an instantaneous error). Will investigate further. V2 will need a migration, upgrades are not really possible as we have added/changed a ton of schema and other things in the LDAP tree. That indeed seems like a bigger project... Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Sat, 04 Dec 2010 10:57:13 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: Hi, after upgrading a F12 freeipa server to F14, krb5 nfs no longer works. 1) ipa-getkeytab works only very unreliably. I get the following about 4 out of 5 times: # ipa-getkeytab -s 192.168.1.2 -p nfs/client..xxx -k /etc/krb5.keytab Operation failed! Unable to set key ipa-delservice, ipa-addservice and other ipa- commands seem to work fine, though. 2) I get the following log from rpc.gssd on the client: # rpc.gssd -f -v -v -v -v -v beginning poll dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) handle_gssd_upcall: 'mech=krb5 uid=0 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) process_krb5_upcall: service is 'null' Full hostname for 'server..xxx' is 'server..xxx' Full hostname for 'client..xxx' is 'client..xxx' Key table entry not found while getting keytab entry for 'root/client.@.xxx' Success getting keytab entry for 'nfs/client.@.xxx' WARNING: Generic error (see e-text) while getting initial ticket for principal 'nfs/client.@.xxx' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server server..xxx doing error downcall dir_notify_handler: sig 37 si 0x7d2a1170 data 0x7d2a1040 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c 3) In the server's kdc log, I find the following: Dec 04 02:09:08 server..xxx krb5kdc[6933](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: nfs/client.@.xxx for krbtgt/@.xxx, unable to decode stored principal key data (ASN.1 structure is missing a required field) Does anybody have an idea how I could get krb5 nfs working again? We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. We have a patch that should be solving some issues against ipav2, if that checks out we will se if we can backport them to ipa 1.2.2 but it may take a little while. Meanwhile you may want to try to downgrade 389-ds (make sure you backup your data first). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: Hi Simo, thanks for your response! We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. Where would that help? just for the ipa-getkeytab reliability issue? Because after the kerberos keys are in the client's keytab, how is ldap even involved in the nfs issues? Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 06 Dec 2010 18:31:37 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: Hi Simo, thanks for your response! We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. Where would that help? just for the ipa-getkeytab reliability issue? Yes, that is probably a side effect of the problem we're solving. Because after the kerberos keys are in the client's keytab, how is ldap even involved in the nfs issues? Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Which patch are you talking about? Is it included in the current alpha (binaries)? Upgrade to the current alpha might be a better idea than trying to downgrade, or am I overlooking something? Thanks, Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 06 Dec 2010 19:43:29 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Which patch are you talking about? Is it included in the current alpha (binaries)? I pushed the patch in git just today :) Upgrade to the current alpha might be a better idea than trying to downgrade, or am I overlooking something? V2 will need a migration, upgrades are not really possible as we have added/changed a ton of schema and other things in the LDAP tree. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
Hi, after upgrading a F12 freeipa server to F14, krb5 nfs no longer works. 1) ipa-getkeytab works only very unreliably. I get the following about 4 out of 5 times: # ipa-getkeytab -s 192.168.1.2 -p nfs/client..xxx -k /etc/krb5.keytab Operation failed! Unable to set key ipa-delservice, ipa-addservice and other ipa- commands seem to work fine, though. 2) I get the following log from rpc.gssd on the client: # rpc.gssd -f -v -v -v -v -v beginning poll dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) handle_gssd_upcall: 'mech=krb5 uid=0 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) process_krb5_upcall: service is 'null' Full hostname for 'server..xxx' is 'server..xxx' Full hostname for 'client..xxx' is 'client..xxx' Key table entry not found while getting keytab entry for 'root/client.@.xxx' Success getting keytab entry for 'nfs/client.@.xxx' WARNING: Generic error (see e-text) while getting initial ticket for principal 'nfs/client.@.xxx' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server server..xxx doing error downcall dir_notify_handler: sig 37 si 0x7d2a1170 data 0x7d2a1040 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c 3) In the server's kdc log, I find the following: Dec 04 02:09:08 server..xxx krb5kdc[6933](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: nfs/client.@.xxx for krbtgt/@.xxx, unable to decode stored principal key data (ASN.1 structure is missing a required field) Does anybody have an idea how I could get krb5 nfs working again? Thanks, Tom ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users