Discussion:
mount.nfs4: Broken pipe, sec=krb5
George Mamalakis
2010-03-01 15:58:51 UTC
Permalink
Hi everybody,

I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed to
arch-linux forums and asked this question, but it's been five days since
then, and nobody has answered/asked anything by now; so I figured out
that it might be wise to ask this list too. Here is how it goes:

# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
18:10:38 UTC 2009 i686 Intel(R) Xeon(R) CPU E5310 @ 1.60GHz GenuineIntel
GNU/Linux

I followed the article of nfs4 arch-wiki to prepare my clients, but
whenever I try to mount the exported filesystem I get the following error:

# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe

and rpc.gssd dies.

In /var/log/deamon.log I got:

Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handle_gssd_upcall:
'mech=krb5 uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: process_krb5_upcall: service
is '<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab FILE:/etc/krb5.keytab
(null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab entry
for 'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained
machine credentials for principal
'nfs/linuxclient.example.com at EXAMPLE.COM' stored in ccache
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name
to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using fsuid
0 (save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for
server solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with server
nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap

In order to restart nfs-common I had to pkill rpc.idmapd first, and then
execute /etc/rc.d/nfs-common start, otherwise it refused to start/restart.

More info about my configuration:

- On my linux box:

# ktutil list
FILE:/etc/krb5.keytab:

Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM

# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM

Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM

# cat /etc/idmapd.conf:

[General]

Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

Method = nsswitch


- On my opensolaris box:

# share -F nfs /export/homes -osec=krb5

# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw

# share -F nfs /export/homes -osec=krb5

# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw

# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM


Does anybody know what I should do in order to mount this filesystem
using the aforementioned options?

Thank you all in advance.
--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379
Kevin Coffman
2010-03-01 16:38:17 UTC
Permalink
Post by George Mamalakis
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported filesystem
(from an opensolaris box) using sec=krb5. nfs-utils and nfsidmap are
installed in my clients as well as rpcbind. I subscribed to arch-linux
forums and asked this question, but it's been five days since then, and
nobody has answered/asked anything by now; so I figured out that it might be
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31 18:10:38
I followed the article of nfs4 arch-wiki to prepare my clients, but whenever
# mount ?-tnfs4 ?-orw,sec=krb5 ? ?solaris.example.com:/export/homes ?/mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handle_gssd_upcall: 'mech=krb5
uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: process_krb5_upcall: service is
'<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab FILE:/etc/krb5.keytab
(null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab entry for
'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained machine
credentials for principal 'nfs/linuxclient.example.com at EXAMPLE.COM' stored
in ccache 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name to
select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using fsuid 0
(save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for server
solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with server
nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: ? -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: ? -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
In order to restart nfs-common I had to pkill rpc.idmapd first, and then
execute /etc/rc.d/nfs-common start, otherwise it refused to start/restart.
# ktutil list
Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM
Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM
Does anybody know what I should do in order to mount this filesystem using
the aforementioned options?
Thank you all in advance.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
NFSv4 mailing list
NFSv4 at linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
Hello George,
Could you give more information about the version of nfs-utils
(rpc.gssd) that is in use? (It looks fairly recent.)

Also, what version of Kerberos is in use on your client machine?

You should have only des-cbc-crc keys for
nfs/linuxclient.example.com at EXAMPLE.COM. See,
http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html.
However there should be code on the client to limit what is negotiated
to only des-cbc-crc. (Can you give a reference to the "nfs4
arch-wiki" you mention?)

Is there any log information or traceback when rpc.gssd dies? You
_might_ get a better hint of what is going wrong by specifying "-vvv
-rrr" while running rpc.gssd.

Thanks,
K.C.
George Mamalakis
2010-03-04 14:55:31 UTC
Permalink
Post by George Mamalakis
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed
to arch-linux forums and asked this question, but it's been five days
since then, and nobody has answered/asked anything by now; so I
figured out that it might be wise to ask this list too. Here is how it
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
GenuineIntel GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
'mech=krb5 uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
service is '<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab
FILE:/etc/krb5.keytab (null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab
entry for 'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained
machine credentials for principal
'nfs/linuxclient.example.com at EXAMPLE.COM' stored in ccache
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name
to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using
fsuid 0 (save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for
server solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with
server nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
In order to restart nfs-common I had to pkill rpc.idmapd first, and
then execute /etc/rc.d/nfs-common start, otherwise it refused to
start/restart.
# ktutil list
Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM
Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM
Does anybody know what I should do in order to mount this filesystem
using the aforementioned options?
Thank you all in advance.
Guys?

any answer or hint on the issue?

Thanx again.
--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379
J. Bruce Fields
2010-03-04 15:42:11 UTC
Permalink
Post by George Mamalakis
Post by George Mamalakis
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed
to arch-linux forums and asked this question, but it's been five days
since then, and nobody has answered/asked anything by now; so I
figured out that it might be wise to ask this list too. Here is how it
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
GenuineIntel GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
Almost certainly a bug in rpc.gssd, then. Which version of nfs-utils?
Have you tried to see if you can reproduce it with the most recent
nfs-utils?

--b.
Post by George Mamalakis
Post by George Mamalakis
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 12
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
'mech=krb5 uid=0 '
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)
service is '<null>'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'solaris.example.com' is 'solaris.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Full hostname for
'linuxclient.example.com' is 'linuxclient.example.com'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Failed to find
root/linuxclient.example.com at EXAMPLE.COM in keytab
FILE:/etc/krb5.keytab (null) while getting keytab entry for
'root/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Success getting keytab
entry for 'nfs/linuxclient.example.com at EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: New client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: Successfully obtained
machine credentials for principal
'nfs/linuxclient.example.com at EXAMPLE.COM' stored in ccache
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1267241606
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using
FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: using gss_krb5_ccache_name
to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context using
fsuid 0 (save_uid 0)
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating tcp client for
server solaris.example.com
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: DEBUG: port already set to 2049
Feb 26 19:33:26 linuxclient rpc.gssd[2241]: creating context with
server nfs at solaris.example.com
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 13
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: Stale client: 12
Feb 26 19:33:26 linuxclient rpc.idmapd[2233]: -> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt12/idmap
In order to restart nfs-common I had to pkill rpc.idmapd first, and
then execute /etc/rc.d/nfs-common start, otherwise it refused to
start/restart.
# ktutil list
Vno Type Principal Aliases
1 des-cbc-md5 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-md4 nfs/linuxclient.example.com at EXAMPLE.COM
1 des-cbc-crc nfs/linuxclient.example.com at EXAMPLE.COM
1 aes256-cts-hmac-sha1-96 nfs/linuxclient.example.com at EXAMPLE.COM
1 des3-cbc-sha1 nfs/linuxclient.example.com at EXAMPLE.COM
1 arcfour-hmac-md5 nfs/linuxclient.example.com at EXAMPLE.COM
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: mamalos at EXAMPLE.COM
Issued Expires Principal
Feb 26 19:19:00 Feb 27 05:19:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
[General]
Verbosity = 3
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# share -F nfs /export/homes -osec=krb5
# cat /etc/dfs/sharetab
/export/homes - nfs sec=krb5,rw
# ktutil
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/solaris.example.com at EXAMPLE.COM
2 1 nfs/solaris.example.com at EXAMPLE.COM
3 1 nfs/solaris.example.com at EXAMPLE.COM
4 1 nfs/solaris.example.com at EXAMPLE.COM
5 1 nfs/solaris.example.com at EXAMPLE.COM
6 1 nfs/solaris.example.com at EXAMPLE.COM
Does anybody know what I should do in order to mount this filesystem
using the aforementioned options?
Thank you all in advance.
Guys?
any answer or hint on the issue?
Thanx again.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
NFSv4 mailing list
NFSv4 at linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
George Mamalakis
2010-03-05 12:49:58 UTC
Permalink
Post by J. Bruce Fields
Post by George Mamalakis
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed
to arch-linux forums and asked this question, but it's been five days
since then, and nobody has answered/asked anything by now; so I
figured out that it might be wise to ask this list too. Here is how it
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
GenuineIntel GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
# mount -tnfs4 -orw,sec=krb5 solaris.example.com:/export/homes /mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
Almost certainly a bug in rpc.gssd, then. Which version of nfs-utils?
Have you tried to see if you can reproduce it with the most recent
nfs-utils?
--b.
My arch linux distro has the following packages installed:

nfs-utils 1.2.2-1
heimdal 1.3.1-3
rpcbind 0.2.0-1

I tried to install nfs-utils from source, but make gave me the following
error:

krb5_util.c:953: error: 'struct Principal' has no member named 'length'
krb5_util.c:955: error: incompatible type for argument 1 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c:955: error: incompatible type for argument 2 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c:956: error: 'struct Principal' has no member named 'data'
krb5_util.c:957: error: 'struct Principal' has no member named 'data'
krb5_util.c:959: error: 'struct Principal' has no member named 'data'
krb5_util.c:960: error: incompatible type for argument 2 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c: In function 'query_krb5_ccache':
krb5_util.c:1012: error: 'KRB5_TC_OPENCLOSE' undeclared (first use in
this function)
krb5_util.c:1012: error: (Each undeclared identifier is reported only once
krb5_util.c:1012: error: for each function it appears in.)
krb5_util.c: In function 'gssd_k5_err_msg':
krb5_util.c:1286: warning: 'krb5_get_err_text' is deprecated (declared
at /usr/include/krb5-protos.h:2084)
krb5_util.c:1288: warning: passing argument 1 of 'strdup' makes pointer
from integer without a cast
/usr/include/string.h:173: note: expected 'const char *' but argument is
of type 'int'
make[2]: *** [gssd-krb5_util.o] Error 1
make[2]: Leaving directory `/home/mamalos/nfs-utils-1.2.2/utils/gssd'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/mamalos/nfs-utils-1.2.2/utils'
make: *** [all-recursive] Error 1

and the truth is that struct Principal does not contain any "length"
variable/function whatsoever, since in /usr/include/krb5_asn1.h the
struct is built as follows:

typedef struct Principal {
PrincipalName name;
Realm realm;
} Principal;


I don't know whether nfs-utils implies that mit-kerberos be installed
(cos when I googled-searchcode for the struct, I found that this must be
contained in mit's distro), and Arch-linux is shipped with heimdal.

Thank you for your answer,

mamalos
--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379
Kevin Coffman
2010-03-05 14:24:50 UTC
Permalink
Post by George Mamalakis
Post by George Mamalakis
Hi everybody,
I am running arch-linux and I am trying to mount an nfs4 exported
filesystem (from an opensolaris box) using sec=krb5. nfs-utils and
nfsidmap are installed in my clients as well as rpcbind. I subscribed
to arch-linux forums and asked this question, but it's been five days
since then, and nobody has answered/asked anything by now; so I
figured out that it might be wise to ask this list too. Here is how it
# uname -a
Linux linuxclient.example.com 2.6.30-ARCH #1 SMP PREEMPT Fri Jul 31
GenuineIntel GNU/Linux
I followed the article of nfs4 arch-wiki to prepare my clients, but
# mount ?-tnfs4 ?-orw,sec=krb5 ? ?solaris.example.com:/export/homes
?/mnt
mount.nfs4: Broken pipe
and rpc.gssd dies.
Almost certainly a bug in rpc.gssd, then. ?Which version of nfs-utils?
Have you tried to see if you can reproduce it with the most recent
nfs-utils?
--b.
nfs-utils 1.2.2-1
heimdal 1.3.1-3
rpcbind 0.2.0-1
I tried to install nfs-utils from source, but make gave me the following
krb5_util.c:953: error: 'struct Principal' has no member named 'length'
krb5_util.c:955: error: incompatible type for argument 1 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c:955: error: incompatible type for argument 2 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c:956: error: 'struct Principal' has no member named 'data'
krb5_util.c:957: error: 'struct Principal' has no member named 'data'
krb5_util.c:959: error: 'struct Principal' has no member named 'data'
krb5_util.c:960: error: incompatible type for argument 2 of 'data_is_equal'
krb5_util.c:932: note: expected 'krb5_data' but argument is of type 'Realm'
krb5_util.c:1012: error: 'KRB5_TC_OPENCLOSE' undeclared (first use in this
function)
krb5_util.c:1012: error: (Each undeclared identifier is reported only once
krb5_util.c:1012: error: for each function it appears in.)
krb5_util.c:1286: warning: 'krb5_get_err_text' is deprecated (declared at
/usr/include/krb5-protos.h:2084)
krb5_util.c:1288: warning: passing argument 1 of 'strdup' makes pointer from
integer without a cast
/usr/include/string.h:173: note: expected 'const char *' but argument is of
type 'int'
make[2]: *** [gssd-krb5_util.o] Error 1
make[2]: Leaving directory `/home/mamalos/nfs-utils-1.2.2/utils/gssd'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/mamalos/nfs-utils-1.2.2/utils'
make: *** [all-recursive] Error 1
and the truth is that struct Principal does not contain any "length"
variable/function whatsoever, since in /usr/include/krb5_asn1.h the struct
typedef struct Principal {
?PrincipalName name;
?Realm realm;
} Principal;
I don't know whether nfs-utils implies that mit-kerberos be installed (cos
when I googled-searchcode for the struct, I found that this must be
contained in mit's distro), and Arch-linux is shipped with heimdal.
Thank you for your answer,
mamalos
At one point in time nfs-utils (gssd) worked with either Kerberos
distribution. Since then, Heimdal support has falled into disrepair.
nfs-utils will not currently work with Heimdal.

K.C.

Loading...