Beyersdorf, Wolfgang
2010-09-13 12:55:03 UTC
<<nfs4.JPG>>
Dear all,
We tried to implement NFS4 with the GSS API. The authentification goes via Kerberos 5 against a Windows Server 2003 Active Directory, which is also used as KDC (and where we generated the SPNs, which we copied to the client- / server-keytab file).
We need the GSS Api, because our users have more then 16 groups (some users have up to 400 groups). We learned that using the GSS API, we will get rid of the 16 groups problem.
The implementation of NFS4 without GSS for the server and the client was really easy and is still up and running well.
But the implementation of the GSS API is faulty in our environment. We read a lot of staff in the internet and tried several tutorials. But the result is always the same: "mount.nfs4: Permission denied".
On details:
After the mount command (with -vvv) we got the message: mount: pinging: prog 100003 vers 4 prot tcp port 2049
And after 25 sec we got the message: mount.nfs4: Permission denied
Also we found the drawing: http://www.citi.umich.edu/projects/nfsv4/gssd/, which was really helpful.
So, with full logging on rcp and nfs (echo 32767 > /proc/sys/sunrpc/rpc_debug, echo 65535 > /proc/sys/sunrpc/nfs_debug, imapd verbose level on 10, gssd and scvgssd with -vvv) and tcpdump,we followed the drawing.
We could see the line 3 and 6 in the TCPDUMP (but are a little bit wondering, while this happens twice):
As output of the gssd we got on the client:
Sep 7 13:10:11 wha3450s1 kernel: <-- nfs4_set_client() = 0 [new ffff81012e280800]
Sep 7 13:10:11 wha3450s1 kernel: --> nfs4_init_server()
Sep 7 13:10:11 wha3450s1 kernel: <-- nfs4_init_server() = 0
Sep 7 13:10:11 wha3450s1 kernel: --> nfs4_path_walk(,,/)
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 new task procpid 20373
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 allocated task
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 looking up RPCSEC_GSS cred
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_create_cred for uid 0, flavor 390003
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_upcall for uid 0
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_find_upcall found nothing <<<<<<<<<<---------- That really looks faulty
Sep 7 13:10:11 wha3450s1 kernel: RPC: 1307 freeing task
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache MEMORY:/tmp/krb5cc_machine_HAMBURG.RWEDEA.DE for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: doing error downcall
On the server with the scvgssd, we got nothing in the log (/var/log/messages), even so the logging is also set to maximum.
Also we did a trace with netmon, which is attached. There is a 5th transmission, which we haven`t seen with tcpdump-
Do you have an idea, what we could do to make this running? Google shows us the sourcecode of the gssapi, when we search this error ;-)
Do you know, if NFS4 with GSS API is a good choice for a company with 500 users?
Thanks for your time.
Mit freundlichen Gr??en / Best regards
Wolfgang Beyersdorf
RWE Dea AG
Abteilung IT-Infraktrukturen
?berseering 40, 22297 Hamburg, Germany
T +49 40 6375-3258
M +40 160 5497897
E Wolfgang.Beyersdorf.FA.Kontraktor at rwedea.com
I www.rwedea.com
RWE Dea AG
Vorsitzender des Aufsichtsrats: Dr. Ulrich Jobs
Vorstand: Thomas Rappuhn (Vorsitzender), Lutz-Michael Liebau, Ralf to Baben
Sitz der Gesellschaft: Hamburg
Eingetragen beim AG Hamburg, Handelsregister - Nr.: HRB 6882
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpdump.doc
Type: application/msword
Size: 74752 bytes
Desc: tcpdump.doc
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20100913/23acc222/attachment.doc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs4.JPG
Type: image/jpeg
Size: 479590 bytes
Desc: nfs4.JPG
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20100913/23acc222/attachment.jpe
Dear all,
We tried to implement NFS4 with the GSS API. The authentification goes via Kerberos 5 against a Windows Server 2003 Active Directory, which is also used as KDC (and where we generated the SPNs, which we copied to the client- / server-keytab file).
We need the GSS Api, because our users have more then 16 groups (some users have up to 400 groups). We learned that using the GSS API, we will get rid of the 16 groups problem.
The implementation of NFS4 without GSS for the server and the client was really easy and is still up and running well.
But the implementation of the GSS API is faulty in our environment. We read a lot of staff in the internet and tried several tutorials. But the result is always the same: "mount.nfs4: Permission denied".
On details:
After the mount command (with -vvv) we got the message: mount: pinging: prog 100003 vers 4 prot tcp port 2049
And after 25 sec we got the message: mount.nfs4: Permission denied
Also we found the drawing: http://www.citi.umich.edu/projects/nfsv4/gssd/, which was really helpful.
So, with full logging on rcp and nfs (echo 32767 > /proc/sys/sunrpc/rpc_debug, echo 65535 > /proc/sys/sunrpc/nfs_debug, imapd verbose level on 10, gssd and scvgssd with -vvv) and tcpdump,we followed the drawing.
We could see the line 3 and 6 in the TCPDUMP (but are a little bit wondering, while this happens twice):
As output of the gssd we got on the client:
Sep 7 13:10:11 wha3450s1 kernel: <-- nfs4_set_client() = 0 [new ffff81012e280800]
Sep 7 13:10:11 wha3450s1 kernel: --> nfs4_init_server()
Sep 7 13:10:11 wha3450s1 kernel: <-- nfs4_init_server() = 0
Sep 7 13:10:11 wha3450s1 kernel: --> nfs4_path_walk(,,/)
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 new task procpid 20373
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 allocated task
Sep 7 13:10:11 wha3450s1 kernel: RPC: 0 looking up RPCSEC_GSS cred
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_create_cred for uid 0, flavor 390003
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_upcall for uid 0
Sep 7 13:10:11 wha3450s1 kernel: RPC: gss_find_upcall found nothing <<<<<<<<<<---------- That really looks faulty
Sep 7 13:10:11 wha3450s1 kernel: RPC: 1307 freeing task
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache MEMORY:/tmp/krb5cc_machine_HAMBURG.RWEDEA.DE for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sha2056.hamburg.rwedea.de
Sep 7 13:10:36 wha3450s1 rpc.gssd[8033]: doing error downcall
On the server with the scvgssd, we got nothing in the log (/var/log/messages), even so the logging is also set to maximum.
Also we did a trace with netmon, which is attached. There is a 5th transmission, which we haven`t seen with tcpdump-
Do you have an idea, what we could do to make this running? Google shows us the sourcecode of the gssapi, when we search this error ;-)
Do you know, if NFS4 with GSS API is a good choice for a company with 500 users?
Thanks for your time.
Mit freundlichen Gr??en / Best regards
Wolfgang Beyersdorf
RWE Dea AG
Abteilung IT-Infraktrukturen
?berseering 40, 22297 Hamburg, Germany
T +49 40 6375-3258
M +40 160 5497897
E Wolfgang.Beyersdorf.FA.Kontraktor at rwedea.com
I www.rwedea.com
RWE Dea AG
Vorsitzender des Aufsichtsrats: Dr. Ulrich Jobs
Vorstand: Thomas Rappuhn (Vorsitzender), Lutz-Michael Liebau, Ralf to Baben
Sitz der Gesellschaft: Hamburg
Eingetragen beim AG Hamburg, Handelsregister - Nr.: HRB 6882
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpdump.doc
Type: application/msword
Size: 74752 bytes
Desc: tcpdump.doc
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20100913/23acc222/attachment.doc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs4.JPG
Type: image/jpeg
Size: 479590 bytes
Desc: nfs4.JPG
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20100913/23acc222/attachment.jpe