[Freeipa-users] Secure nfs4 and Fedora 14

Simo Sorce ssorce at redhat.com
Thu Nov 11 13:48:36 UTC 2010 

On Thu, 11 Nov 2010 13:44:55 +0100
Thomas Sailer <sailer at sailer.dynip.lugs.ch> wrote:

> Since I upgraded about two days ago from a fully up-to-date and
> working Fedora13 system to Fedora14, I am unable to mount the krb5p
> nfs4 shares of the freeipa server (which is itself running a fully
> up-to-date Fedora12).
> 
> rpc.gssd on the client reports the following:
> 
> beginning poll
> dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
> dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800
> dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0
> handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
> handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
> handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
> process_krb5_upcall: service is '<null>'
> Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
> Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx'
> Key table entry not found while getting keytab entry for
> 'root/clnt.xxxx.xxx at XXXX.XXX' Success getting keytab entry for
> 'nfs/clnt.xxxx.xxx at XXXX.XXX' Successfully obtained machine
> credentials for principal 'nfs/clnt.xxxx.xxx at XXXX.XXX' stored in
> ccache 'FILE:/tmp/krb5cc_machine_XXXX.XXX' INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734 using
> FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine
> creds using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_machine_XXXX.XXX creating context using fsuid 0
> (save_uid 0) creating tcp client for server server.xxxx.xxx DEBUG:
> port already set to 2049 creating context with server
> nfs at server.xxxx.xxx WARNING: Failed to create krb5 context for user
> with uid 0 for server server.xxxx.xxx WARNING: Failed to create
> machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx WARNING:
> Machine cache is prematurely expired or corrupted trying to recreate
> cache for server server.xxxx.xxx Full hostname for 'server.xxxx.xxx'
> is 'server.xxxx.xxx' Full hostname for 'clnt.xxxx.xxx' is
> 'clnt.xxxx.xxx' Key table entry not found while getting keytab entry
> for 'root/clnt.xxxx.xxx at XXXX.XXX' Success getting keytab entry for
> 'nfs/clnt.xxxx.xxx at XXXX.XXX' INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734 INFO:
> Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until
> 1289651734 using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials
> cache for machine creds using environment variable to select krb5
> ccache FILE:/tmp/krb5cc_machine_XXXX.XXX creating context using fsuid
> 0 (save_uid 0) creating tcp client for server server.xxxx.xxx DEBUG:
> port already set to 2049 creating context with server
> nfs at server.xxxx.xxx WARNING: Failed to create krb5 context for user
> with uid 0 for server server.xxxx.xxx WARNING: Failed to create
> machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx WARNING:
> Failed to create machine krb5 context with any credentials cache for
> server server.xxxx.xxx doing error downcall dir_notify_handler: sig
> 37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37
> si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si
> 0x7fff99e82f30 data 0x7fff99e82e00 dir_notify_handler: sig 37 si
> 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
> 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
> 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si
> 0x7fff99e7dfb0 data 0x7fff99e7de80 destroying
> client /var/lib/nfs/rpc_pipefs/nfs/clnt39 destroying
> client /var/lib/nfs/rpc_pipefs/nfs/clnt38
> 
> I need to downgrade the kernel and krb5* to the Fedora13 version to
> get nfs4 working again.
> 
> Does anybody have an idea why it no longer works?
> 
> What is the current party line with respect to nfs4 encryption types?
> The admin guide on the freeipa web page still requires des-cbc-crc.
> But MIT Kerberos seems to become increasingly hostile against des.
> And yes, I do have allow_weak_crypto = true in krb5.conf/libdefaults

Starting with F14 you can use any crypto for NFS. However DES should
still just work if you have a DES key.
This looks like a kernel/rpc.gssd bug, I would file a ticket against
those components.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list