[Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
Simo Sorce
ssorce at redhat.com
Mon Dec 6 15:55:59 UTC 2010
On Sat, 04 Dec 2010 10:57:13 +0100
Thomas Sailer <sailer at sailer.dynip.lugs.ch> wrote:
> Hi,
>
> after upgrading a F12 freeipa server to F14, krb5 nfs no longer works.
>
> 1) ipa-getkeytab works only very unreliably. I get the following
> about 4 out of 5 times:
> # ipa-getkeytab -s 192.168.1.2 -p nfs/client.xxxx.xxx
> -k /etc/krb5.keytab Operation failed! Unable to set key
>
> ipa-delservice, ipa-addservice and other ipa- commands seem to work
> fine, though.
>
> 2) I get the following log from rpc.gssd on the client:
> # rpc.gssd -f -v -v -v -v -v beginning poll
> dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
> dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
> dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580
> handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
> handle_gssd_upcall: 'mech=krb5 uid=0 '
> handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
> process_krb5_upcall: service is '<null>'
> Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
> Full hostname for 'client.xxxx.xxx' is 'client.xxxx.xxx'
> Key table entry not found while getting keytab entry for
> 'root/client.xxxx.xxx at XXXX.XXX' Success getting keytab entry for
> 'nfs/client.xxxx.xxx at XXXX.XXX' WARNING: Generic error (see e-text)
> while getting initial ticket for principal
> 'nfs/client.xxxx.xxx at XXXX.XXX' using keytab 'WRFILE:/etc/krb5.keytab'
> ERROR: No credentials found for connection to server server.xxxx.xxx
> doing error downcall dir_notify_handler: sig 37 si 0x7ffffd2a1170
> data 0x7ffffd2a1040 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data
> 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data
> 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data
> 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data
> 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data
> 0x7ffffd2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c
>
>
> 3) In the server's kdc log, I find the following:
> Dec 04 02:09:08 server.xxxx.xxx krb5kdc[6933](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT:
> nfs/client.xxxx.xxx at XXXX.XXX for krbtgt/XXXX.XXX at XXXX.XXX, unable to
> decode stored principal key data (ASN.1 structure is missing a
> required field)
>
> Does anybody have an idea how I could get krb5 nfs working again?
We are seeing an issue with F14 DS where it has been built against
opneldap libraries while we still have plugins built against mozldap.
We have a patch that should be solving some issues against ipav2, if
that checks out we will se if we can backport them to ipa 1.2.2 but it
may take a little while.
Meanwhile you may want to try to downgrade 389-ds (make sure you
backup your data first).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list