On Thu, 11 Nov 2010 13:44:55 +0100
Thomas Sailer sai...@sailer.dynip.lugs.ch wrote:
Since I upgraded about two days ago from a fully up-to-date and
working Fedora13 system to Fedora14, I am unable to mount the krb5p
nfs4 shares of the freeipa server (which is itself running a fully
up-to-date Fedora12).
rpc.gssd on the client reports the following:
beginning poll
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800
dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
process_krb5_upcall: service is 'null'
Full hostname for 'server..xxx' is 'server..xxx'
Full hostname for 'clnt..xxx' is 'clnt..xxx'
Key table entry not found while getting keytab entry for
'root/clnt.@.xxx' Success getting keytab entry for
'nfs/clnt.@.xxx' Successfully obtained machine
credentials for principal 'nfs/clnt.@.xxx' stored in
ccache 'FILE:/tmp/krb5cc_machine_.XXX' INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_.XXX' are good until 1289651734 using
FILE:/tmp/krb5cc_machine_.XXX as credentials cache for machine
creds using environment variable to select krb5 ccache
FILE:/tmp/krb5cc_machine_.XXX creating context using fsuid 0
(save_uid 0) creating tcp client for server server..xxx DEBUG:
port already set to 2049 creating context with server
n...@server..xxx WARNING: Failed to create krb5 context for user
with uid 0 for server server..xxx WARNING: Failed to create
machine krb5 context with credentials cache
FILE:/tmp/krb5cc_machine_.XXX for server server..xxx WARNING:
Machine cache is prematurely expired or corrupted trying to recreate
cache for server server..xxx Full hostname for 'server..xxx'
is 'server..xxx' Full hostname for 'clnt..xxx' is
'clnt..xxx' Key table entry not found while getting keytab entry
for 'root/clnt.@.xxx' Success getting keytab entry for
'nfs/clnt.@.xxx' INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_.XXX' are good until 1289651734 INFO:
Credentials in CC 'FILE:/tmp/krb5cc_machine_.XXX' are good until
1289651734 using FILE:/tmp/krb5cc_machine_.XXX as credentials
cache for machine creds using environment variable to select krb5
ccache FILE:/tmp/krb5cc_machine_.XXX creating context using fsuid
0 (save_uid 0) creating tcp client for server server..xxx DEBUG:
port already set to 2049 creating context with server
n...@server..xxx WARNING: Failed to create krb5 context for user
with uid 0 for server server..xxx WARNING: Failed to create
machine krb5 context with credentials cache
FILE:/tmp/krb5cc_machine_.XXX for server server..xxx WARNING:
Failed to create machine krb5 context with any credentials cache for
server server..xxx doing error downcall dir_notify_handler: sig
37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37
si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si
0x7fff99e82f30 data 0x7fff99e82e00 dir_notify_handler: sig 37 si
0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
0x7fff99e7dfb0 data 0x7fff99e7de80 destroying
client /var/lib/nfs/rpc_pipefs/nfs/clnt39 destroying
client /var/lib/nfs/rpc_pipefs/nfs/clnt38
I need to downgrade the kernel and krb5* to the Fedora13 version to
get nfs4 working again.
Does anybody have an idea why it no longer works?
What is the current party line with respect to nfs4 encryption types?
The admin guide on the freeipa web page still requires des-cbc-crc.
But MIT Kerberos seems to become increasingly hostile against des.
And yes, I do have allow_weak_crypto = true in krb5.conf/libdefaults
Starting with F14 you can use any crypto for NFS. However DES should
still just work if you have a DES key.
This looks like a kernel/rpc.gssd bug, I would file a ticket against
those components.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
