Need help with nfsv4 and krb5 access denied

Herbert Poeckl freebsdml at ist.tugraz.at
Wed Jun 27 09:34:44 UTC 2012 

Hi Rick,

thank you very much for answering.

On 06/26/2012 02:17 AM, Rick Macklem wrote:
> Herbert Poeckl wrote:
>> Hi everybody.
>>
>> We are new to this list and need technical help.
>>
>> We are getting access denied error on our debian clients when mounting
>> nfsv4 network drives with kerberos 5 authentication.
>>
>> What is wired about this, is that it works with one server, but not
>> with
>> a second server. The configuration on these both machines are
>> identical,
>> witch we have tested by booting from the same USB drive.
>>
> Ok, if I understand you correctly, you are booting the 2 machines
> using the same USB root disk?

This is correct. As you can guess, it is for testing purpose only.


> Are they using DHCP to configure their network?
> (I'm just checking, since they would need to boot as the same
>  hostname and IP address, if they are using the same /etc/krb5.keytab
>  file. ie. They must both think they are:
>  tmp2.ist.intra at IST.INTRA
>  including name<->IP# resolution (/etc/hosts, DNS, or ???)
> 
> If they are the "same host", then the only other thought is to make
> sure that their Time of Day clocks are correctly set.

The hosts IP address is set statically. Name resolution is done with
DNS, see keylog below[1]. Time is synchronized on system startup against
a local time server.


> One simple check you can do on the server to confirm that the
> keytab entry is ok is to do:
> # kinit -k nfs/tmp2.ist.intra at IST.INTRA
> and make sure it can put an entry in root's credential cache
> from the keytab.

We performed a check. The output seem right, as you can see in [2].

Is there anything else we can check?


> Beyond that, I have no idea why one would work and the other not.
> (I always avoid multiple encryption types for keytabs, since I've
>  seen Heimdal get confused about which one to use, but that normally
>  happened to me when I was trying to get initiator credentials from
>  a keytab entry.)

Reducing the encryptin type to only one (des3-cbc-sha1) did not change
the result.


> Hopefully someone else conversant with kerberos can help, rick


[1]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # hostname
tmp2.ist.intra


root at tmp2:/root # ifconfig INT
INT: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=c219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
        ether 00:21:28:45:c3:be
        inet 192.168.1.164 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::221:28ff:fe45:c3be%INT prefixlen 64 scopeid 0x3
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active


root at tmp2:/root # host tmp2.ist.intra
tmp2.ist.intra has address 192.168.1.164


root at tmp2:/root # host 192.168.1.164
164.1.168.192.in-addr.arpa domain name pointer tmp2.ist.intra.
--- 8<  --------------------------------  >8 ---

[2]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # kinit -k nfs/tmp2.ist.intra
root at tmp2:/root # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: nfs/tmp2.ist.intra at IST.INTRA

  Issued           Expires          Principal
Jun 26 08:34:10  Jun 26 18:34:04  krbtgt/IST.INTRA at IST.INTRA
root at tmp2:/root #
--- 8<  --------------------------------  >8 ---

More information about the freebsd-stable mailing list