Need help with nfsv4 and krb5 access denied

Rick Macklem rmacklem at uoguelph.ca
Tue Jun 26 00:18:14 UTC 2012 

Herbert Poeckl wrote:
> Hi everybody.
> 
> We are new to this list and need technical help.
> 
> We are getting access denied error on our debian clients when mounting
> nfsv4 network drives with kerberos 5 authentication.
> 
> What is wired about this, is that it works with one server, but not
> with
> a second server. The configuration on these both machines are
> identical,
> witch we have tested by booting from the same USB drive.
> 
Ok, if I understand you correctly, you are booting the 2 machines
using the same USB root disk?

Are they using DHCP to configure their network?
(I'm just checking, since they would need to boot as the same
 hostname and IP address, if they are using the same /etc/krb5.keytab
 file. ie. They must both think they are:
 tmp2.ist.intra at IST.INTRA
 including name<->IP# resolution (/etc/hosts, DNS, or ???)

If they are the "same host", then the only other thought is to make
sure that their Time of Day clocks are correctly set.

One simple check you can do on the server to confirm that the
keytab entry is ok is to do:
# kinit -k nfs/tmp2.ist.intra at IST.INTRA
and make sure it can put an entry in root's credential cache
from the keytab.

Beyond that, I have no idea why one would work and the other not.
(I always avoid multiple encryption types for keytabs, since I've
 seen Heimdal get confused about which one to use, but that normally
 happened to me when I was trying to get initiator credentials from
 a keytab entry.)

Hopefully someone else conversant with kerberos can help, rick


> The one where it works on is a Intel based standard workstation (HP
> DC7800). The machine where it does not work is a AMD Opteron based
> server (Sun X4540). Any other kerberos authentication (like smb and
> netatalk) works fine.
> 
> We basically followed these instructions:
> http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
> 
> Our system configuration looks as follows:
> -- 8< ----------------------------------------- >8 --
> root at tmp2:/root # uname -a
> FreeBSD tmp2.ist.intra 9.0-STABLE FreeBSD 9.0-STABLE #4: Thu Jun 14
> 08:58:14 UTC 2012 root at srv.ist.intra:/usr/obj/system/usr/src/sys/SRV
> amd64
> 
> 
> root at tmp2:/root # diff /usr/src/sys/amd64/conf/GENERIC
> /usr/src/sys/amd64/conf/SRV
> 348a349,354
> >
> >
> > options KGSSAPI
> > device crypto
> >
> > options NETATALK
> 
> 
> root at tmp2:/root # cat /etc/krb5.conf
> [libdefaults]
> default_realm = IST.INTRA
> forwardable = true
> proxiable = true
> 
> 
> root at tmp2:/root # ktutil list
> FILE:/etc/krb5.keytab:
> 
> Vno Type Principal
> 1 aes256-cts-hmac-sha1-96 nfs/tmp2.ist.intra at IST.INTRA
> 1 des3-cbc-sha1 nfs/tmp2.ist.intra at IST.INTRA
> 1 arcfour-hmac-md5 nfs/tmp2.ist.intra at IST.INTRA
> 
> ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No
> such file or directory
> 
> 
> root at tmp2:/root # cat /etc/exports
> 
> V4: /tmp -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0
> /tmp/blah -sec=krb5p -network 192.168.1.0 -mask 255.255.255.0
> root at tmp2:/root #
> 
> 
> 
> root at tmp2:/root # less /var/run/dmesg.boot
> FreeBSD 9.0-STABLE #4: Thu Jun 14 08:58:14 UTC 2012
> root at srv.ist.intra:/usr/obj/system/usr/src/sys/SRV amd64
> CPU: Six-Core AMD Opteron(tm) Processor 2435 (2600.16-MHz K8-class
> CPU)
> Origin = "AuthenticAMD" Id = 0x100f80 Family = 10 Model = 8
> Stepping = 0
> 
> Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
> Features2=0x802009<SSE3,MON,CX16,POPCNT>
> AMD
> Features=0xee500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM,3DNow!+,3DNow!>
> AMD
> Features2=0x37ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT>
> TSC: P-state invariant
> -- 8< ----------------------------------------- >8 --
> 
> Any help is greatly appreciated.
> 
> Kind regards,
> Herbert Poeckl
> 
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list