Need help with nfsv4 and krb5 access denied

Herbert Poeckl freebsdml at ist.tugraz.at
Wed Jun 27 20:31:56 UTC 2012


Hallo everyone,


we did more testing on this topic.

After we found a few hosts, basically HP desktop workstation with Intel
onboard NICs, that worked and more hosts that didn't work, we placed a
second PCI based NIC into one of the hosts that worked.


The surprising result is:
With the onboard NIC nfs kerberos mount works fine. When the second NIC
takes over, we get a access denied!


Here is the keylog of what we did.

A few explanations: em0 is the embedded onboard card, em1 is the PCI
card we plugged into the machine[1].

192.168.1.164 is the IP address the server is configured for (which is
tmp2.ist.intra in our DNS resolution). 192.168.6.2 is just a placeholder
address. Both NICs are connected to the same switch (there is no
firewall or VPN configured).

The system boots up with em0 as 192.168.1.164 and em1 as 192.168.6.2.[2]
This is the configuration that works, see also the attached tcpdump on
that interface[5].

Now we change the IP addresses of em0 to the placeholder address and em1
to the servers address and proof that the name resolution is still
available[3]. This is were we get a access denied on the linux nfs
client, see tcpdump[6].

When we switch the IP addresses back[4], everything starts working again.


Please note: It doesn't make any difference if we configure em1 as the
server IP address and em0 as placeholder at startup time, the result is
the same.


We do hope that the dump is of any use. If not, or if there are better
ways to debug the problem, your help would be welcome.

King regards,
  Herbert Poeckl


[1]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # dmesg | grep em0
em0: <Intel(R) PRO/1000 Network Connection 7.3.2> port 0x3100-0x311f mem
0xf3100000-0xf311ffff,0xf3125000-0xf3125fff irq 19 at device 25.0 on pci0
em0: Using an MSI interrupt
em0: Ethernet address: 00:0f:fe:e7:1c:ae
em0: link state changed to UP


root at tmp2:/root # dmesg | grep em1
em1: <Intel(R) PRO/1000 Legacy Network Connection 1.0.4> port
0x1100-0x113f mem 0xf3040000-0xf305ffff,0xf3000000-0xf303ffff irq 20 at
device 4.0 on pci7
em1: Ethernet address: 00:1b:21:00:8b:2b
em1: link state changed to UP
--- 8<  --------------------------------  >8 ---


[2]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # grep em0 /etc/rc.conf
ifconfig_em0="inet 192.168.1.164 netmask 255.255.255.0"

root at tmp2:/root # grep em1 /etc/rc.conf
ifconfig_em1="inet 192.168.6.2 netmask 255.255.255.0"

root at tmp2:/root # grep defaultrouter /etc/rc.conf
defaultrouter="192.168.1.1"

root at tmp2:/root # host tmp2
tmp2.ist.intra has address 192.168.1.164
--- 8<  --------------------------------  >8 ---


[3]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # ifconfig em0 192.168.6.2 netmask 255.255.255.0 ;
ifconfig em1 192.168.1.164 netmask 255.255.255.0 ; /etc/rc.d/routing restart
route: writing to routing socket: No such process
delete net default: gateway 192.168.1.1: not in table
delete net ::ffff:0.0.0.0: gateway ::1
delete net ::0.0.0.0: gateway ::1
delete net fe80::: gateway ::1
delete net ff02::: gateway ::1
add net default: gateway 192.168.1.1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
add net fe80::: gateway ::1
add net ff02::: gateway ::1
root at tmp2:/root #

root at tmp2:/root # host tmp2
tmp2.ist.intra has address 192.168.1.164
--- 8<  --------------------------------  >8 ---

[4]
--- 8<  --------------------------------  >8 ---
root at tmp2:/root # ifconfig em0 192.168.1.164 netmask 255.255.255.0 ;
ifconfig em1 192.168.6.2 netmask 255.255.255.0 ; /etc/rc.d/routing restart
route: writing to routing socket: No such process
delete net default: gateway 192.168.1.1: not in table
delete net ::ffff:0.0.0.0: gateway ::1
delete net ::0.0.0.0: gateway ::1
delete net fe80::: gateway ::1
delete net ff02::: gateway ::1
add net default: gateway 192.168.1.1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
add net fe80::: gateway ::1
add net ff02::: gateway ::1
root at tmp2:/root #
--- 8<  --------------------------------  >8 ---

[5] tcpdump(1) working:
--- 8<  --------------------------------  >8 ---
15:47:21.151932 ARP, Request who-has 192.168.1.164 tell 192.168.1.40,
length 46
15:47:21.151937 ARP, Reply 192.168.1.164 is-at 00:0f:fe:e7:1c:ae, length 28
15:47:21.152065 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [S], seq
2632408361, win 14600, options [mss 1460,sackOK,TS val 22818996 ecr
0,nop,wscale 6], length 0
15:47:21.152077 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [S.],
seq 1896997472, ack 2632408362, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 320086661 ecr 22818996], length 0
15:47:21.152196 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack
1, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0
15:47:21.152213 IP 192.168.1.40.2561817139 > 192.168.1.164.2049: 40 null
15:47:21.152237 IP 192.168.1.164.2049 > 192.168.1.40.863: Flags [.], ack
45, win 29127, options [nop,nop,TS val 320086661 ecr 22818996], length 0
15:47:21.152250 IP 192.168.1.164.2049 > 192.168.1.40.2561817139: reply
ok 24 null
15:47:21.152329 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack
29, win 229, options [nop,nop,TS val 22818996 ecr 320086661], length 0
15:47:21.195274 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [S],
seq 2939335575, win 14600, options [mss 1460,sackOK,TS val 22819007 ecr
0,nop,wscale 6], length 0
15:47:21.195284 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [S.],
seq 3331281133, ack 2939335576, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 2607816079 ecr 22819007], length 0
15:47:21.195409 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
ack 1, win 229, options [nop,nop,TS val 22819007 ecr 2607816079], length 0
15:47:21.237686 IP 192.168.1.40.3743254751 > 192.168.1.164.2049: 696 null
15:47:21.237700 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.],
ack 701, win 29127, options [nop,nop,TS val 2607816121 ecr 22819018],
length 0
15:47:21.238121 IP 192.168.1.164.2049 > 192.168.1.40.3743254751: reply
ok 248 null
15:47:21.238370 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
ack 253, win 245, options [nop,nop,TS val 22819018 ecr 2607816121], length 0
15:47:21.278494 IP 192.168.1.40.3726477535 > 192.168.1.164.2049: 68 null
15:47:21.278499 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [F.],
seq 773, ack 253, win 245, options [nop,nop,TS val 22819028 ecr
2607816121], length 0
15:47:21.278506 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [.],
ack 774, win 29125, options [nop,nop,TS val 2607816162 ecr 22819028],
length 0
15:47:21.278508 IP 192.168.1.40.2578594355 > 192.168.1.164.2049: 208
getattr fh 0,100/0
15:47:21.278520 IP 192.168.1.164.2049 > 192.168.1.40.38896: Flags [F.],
seq 253, ack 774, win 29127, options [nop,nop,TS val 2607816162 ecr
22819028], length 0
15:47:21.278630 IP 192.168.1.40.38896 > 192.168.1.164.2049: Flags [.],
ack 254, win 245, options [nop,nop,TS val 22819028 ecr 2607816162], length 0
15:47:21.281980 IP 192.168.1.164.2049 > 192.168.1.40.2578594355: reply
ok 348 getattr ERROR: unk 292
15:47:21.282248 IP 192.168.1.40.863 > 192.168.1.164.2049: Flags [.], ack
381, win 245, options [nop,nop,TS val 22819029 ecr 320086790], length 0
15:47:21.282389 IP 192.168.1.40.2595371571 > 192.168.1.164.2049: 232
getattr fh 0,124/0
15:47:21.282431 IP 192.168.1.164.2049 > 192.168.1.40.2595371571: reply
ok 180 getattr ERROR: unk 124
15:47:21.282749 IP 192.168.1.40.2612148787 > 192.168.1.164.2049: 236
getattr fh 0,128/0
15:47:21.282807 IP 192.168.1.164.2049 > 192.168.1.40.2612148787: reply
ok 204 getattr ERROR: unk 148
--- 8<  --------------------------------  >8 ---

[6] tcpdump(1) with access denied:
--- 8<  --------------------------------  >8 ---
15:57:01.626475 ARP, Request who-has 192.168.1.164 tell 192.168.1.40,
length 46
15:57:01.626480 ARP, Reply 192.168.1.164 is-at 00:1b:21:00:8b:2b, length 28
15:57:01.626595 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [S], seq
344782976, win 14600, options [mss 1460,sackOK,TS val 22964116 ecr
0,nop,wscale 6], length 0
15:57:01.626606 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [S.],
seq 4111877472, ack 344782977, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 2914443055 ecr 22964116], length 0
15:57:01.626725 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.], ack
1, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length 0
15:57:01.626741 IP 192.168.1.40.2525406720 > 192.168.1.164.2049: 40 null
15:57:01.626761 IP 192.168.1.164.2049 > 192.168.1.40.888: Flags [.], ack
45, win 29127, options [nop,nop,TS val 2914443055 ecr 22964116], length 0
15:57:01.626772 IP 192.168.1.164.2049 > 192.168.1.40.2525406720: reply
ok 24 null
15:57:01.626974 IP 192.168.1.40.888 > 192.168.1.164.2049: Flags [.], ack
29, win 229, options [nop,nop,TS val 22964116 ecr 2914443055], length 0
15:57:01.643462 IP 192.168.6.181.17500 > 192.168.6.255.17500: UDP,
length 132
15:57:01.684686 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [S],
seq 2437332411, win 14600, options [mss 1460,sackOK,TS val 22964130 ecr
0,nop,wscale 6], length 0
15:57:01.684695 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [S.],
seq 3809706473, ack 2437332412, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 898091316 ecr 22964130], length 0
15:57:01.684818 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.],
ack 1, win 229, options [nop,nop,TS val 22964130 ecr 898091316], length 0
15:57:01.765886 IP 192.168.1.40.3742773980 > 192.168.1.164.2049: 696 null
15:57:01.765899 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.],
ack 701, win 29127, options [nop,nop,TS val 898091398 ecr 22964150],
length 0
15:57:01.766296 IP 192.168.1.164.2049 > 192.168.1.40.3742773980: reply
ok 248 null
15:57:01.766513 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [.],
ack 253, win 245, options [nop,nop,TS val 22964151 ecr 898091398], length 0
15:57:01.828347 IP 192.168.1.40.3725996764 > 192.168.1.164.2049: 68 null
15:57:01.828352 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [F.],
seq 773, ack 253, win 245, options [nop,nop,TS val 22964166 ecr
898091398], length 0
15:57:01.828359 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [.],
ack 774, win 29125, options [nop,nop,TS val 898091460 ecr 22964166],
length 0
15:57:01.828371 IP 192.168.1.164.2049 > 192.168.1.40.3725996764: reply
ERR 20: Auth Invalid failure code 13
15:57:01.828374 IP 192.168.1.40.2542183936 > 192.168.1.164.2049: 208
getattr fh 0,100/0
15:57:01.828378 IP 192.168.1.164.2049 > 192.168.1.40.52648: Flags [F.],
seq 277, ack 774, win 29127, options [nop,nop,TS val 898091460 ecr
22964166], length 0
15:57:01.828403 IP 192.168.1.164.2049 > 192.168.1.40.2542183936: reply
ERR 20: Auth Invalid failure code 13
15:57:01.828478 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R],
seq 2437333185, win 0, length 0
15:57:01.828482 IP 192.168.1.40.52648 > 192.168.1.164.2049: Flags [R],
seq 2437333185, win 0, length 0
--- 8<  --------------------------------  >8 ---


More information about the freebsd-stable mailing list