new Heimdal version, was NFSv3 + krb5 mysteries - need help
tracking down
Rick Macklem
rmacklem at uoguelph.ca
Fri Jun 29 23:48:39 UTC 2012
Someone was/is recently working on a Heimdal upgrade, but I'm
not sure if they are doing it as a port or part of the base
system.
Otherwise, the version of Kerberos in FreeBSD is quite old
(around Heimdal 1.0.5 I think?) and it would be no surprise
that the new gssapi wouldn't be supported.
Maybe the person working on the newer Heimdal can comment?
(I've changed the subject line so they might notice.)
rick
----- Original Message -----
> Hi,
>
> I have a FreeBSD 9-STABLE acting as a kerberized NFSv3 server.
>
> server# ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno Type Principal
> 5 aes256-cts-hmac-sha1-96 nfs/server.linguamatics.com at LINGUAMATICS.COM
> 5 des3-cbc-sha1 nfs/server.linguamatics.com at LINGUAMATICS.COM
> 5 arcfour-hmac-md5 nfs/server.linguamatics.com at LINGUAMATICS.COM
>
> ntp in sync everywhere
>
> The network is a lagg device composed of two bce interfaces (an add-in
> card).
>
> -- 8< [nfstest.sh] --
> #!/bin/bash
>
> i=0
> fail=0
> while [ $i -lt 100 ]
> do
> i=$[i+1]
> echo "RUN: $i"
> umount -f /mnt
> sleep 1
> mount -v -o sec=krb5i,vers=3,proto=tcp server:/export/share /mnt ||
> fail
> =$[fail+1]
> done
> echo "$fail times failed"
> -- 8< --
>
> centos62# ./nfstest.sh
> 54 times failed
>
> ubuntu1204# ./nfstest.sh
> 98 times failed
>
> ubuntu1104# ./nfstest.sh
> 0 times failed
>
> centos58# ./nfstest.sh
> 0 times failed
>
> I started rpc.gssd -vvvvv on all linux clients.
>
> The clients which did not fail are using gssapi v1 with DES.
> Jun 29 18:17:41 centos58 rpc.gssd[1452]: prepare_krb5_rfc1964_buffer:
> serializing keys with enctype 4 and length 8
> Jun 29 18:04:36 ubuntu1104 rpc.gssd[911]: prepare_krb5_rfc1964_buffer:
> serializing keys with enctype 4 and length 8
> The failing clients are using the newer gssapi v2 with AES256.
> Jun 29 17:59:37 ubuntu1204 rpc.gssd[756]: prepare_krb5_rfc4121_buffer:
> serializing key with enctype 18 and size 32
> Jun 29 17:55:48 centos62 rpc.gssd[1183]: prepare_krb5_rfc4121_buffer:
> serializing key with enctype 18 and size 32
>
> Note the different RFC being used. This is just a suspicion, this may
> not be realted to the problem.
> The cipher being used is different too.
>
> Then I changed my script to proto=udp.
> from ubuntu1104 fails 0 times.
> from centos62 fails 0 times.
>
> On centos58 and ubuntu1204 mount locks up all the time.
>
> Then I added to krb5.conf [libdefaults]
> default_tgs_enctypes = dec-cbc-crc and rebooted both centos58 and
> ubuntu1204.
>
> After rebooting centos56 and ubuntu1204:
>
> nfstest fails 0 times on centos58 with udp
> I get very long response times for ubuntu1204 mounts and always a
> permission denied.
>
> This is a mystery.
>
> I have not tested NFSv4 yet.
>
> I need some help to track down this problem.
>
> Attila
>
> PS: This may be the same problem as this thread:
> http://lists.freebsd.org/pipermail/freebsd-stable/2012-June/068619.html
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list