[Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client

Thomas Sailer sailer at sailer.dynip.lugs.ch
Sat Dec 4 09:57:13 UTC 2010 

Hi,

after upgrading a F12 freeipa server to F14, krb5 nfs no longer works.

1) ipa-getkeytab works only very unreliably. I get the following about 4
out of 5 times:
# ipa-getkeytab -s 192.168.1.2 -p nfs/client.xxxx.xxx -k /etc/krb5.keytab 
Operation failed! Unable to set key

ipa-delservice, ipa-addservice and other ipa- commands seem to work
fine, though.

2) I get the following log from rpc.gssd on the client:
# rpc.gssd -f -v -v -v -v -v beginning poll
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
handle_gssd_upcall: 'mech=krb5 uid=0 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
process_krb5_upcall: service is '<null>'
Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
Full hostname for 'client.xxxx.xxx' is 'client.xxxx.xxx'
Key table entry not found while getting keytab entry for 'root/client.xxxx.xxx at XXXX.XXX'
Success getting keytab entry for 'nfs/client.xxxx.xxx at XXXX.XXX'
WARNING: Generic error (see e-text) while getting initial ticket for principal 'nfs/client.xxxx.xxx at XXXX.XXX' using keytab 'WRFILE:/etc/krb5.keytab'
ERROR: No credentials found for connection to server server.xxxx.xxx
doing error downcall
dir_notify_handler: sig 37 si 0x7ffffd2a1170 data 0x7ffffd2a1040
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c


3) In the server's kdc log, I find the following:
Dec 04 02:09:08 server.xxxx.xxx krb5kdc[6933](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: nfs/client.xxxx.xxx at XXXX.XXX for krbtgt/XXXX.XXX at XXXX.XXX, unable to decode stored principal key data (ASN.1 structure is missing a required field)

Does anybody have an idea how I could get krb5 nfs working again?

Thanks,
Tom

More information about the Freeipa-users mailing list