Your message dated Sat, 19 Mar 2022 17:24:42 +0100
with message-id <93ee5784bd1d011076afb131ce217f334acf2344.ca...@decadent.org.uk>
and subject line Re: nfs-kernel-server: nfs4 mount with sec=krb5 not working
cause bad uid mapping
has caused the Debian Bug report #521878,
regarding nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid
mapping
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
521878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521878
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nfs-kernel-server
Version: 1:1.1.4-1
Severity: important
it's impossible to mount a nfs4 share with kerberos5 security on current sid
systems.
the problem looks like from here:(full log below)
Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name
'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument
i have found some hints that this problem comes from libnfsidmap2 with google.
(http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid
version seems to be really old.
i hope this will help to find the bug.
test setup:
krb5-kdc, nfs-server and client on same machine (for first testing
purpose)
MYREALM.LOCAL and mydomain.local are equal in my test setup.
/etc/krb5.conf
######################################>%
[libdefaults]
default_realm = MYREALM.LOCAL
# dns_lookup_realm = true
# dns_lookup_kdc = false
[realms]
MYREALM.LOCAL = {
kdc = mythtv.mydomain.local
admin_server = mythtv.mydomain.local
default_domain = mydomain.local
}
[domain_realm]
.mydomain.local = MYREALM.LOCAL
%<#####################################
mythtv:~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32)
3 root/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32)
/etc/exports:
/data gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt)
/ gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt)
mythtv:~# egrep -v "^#|^$" /etc/default/nfs-*
/etc/default/nfs-common:NEED_STATD=
/etc/default/nfs-common:STATDOPTS=
/etc/default/nfs-common:NEED_IDMAPD=yes
/etc/default/nfs-common:NEED_GSSD=yes
/etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr"
/etc/default/nfs-kernel-server:RPCNFSDCOUNT=8
/etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0
/etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids
/etc/default/nfs-kernel-server:NEED_SVCGSSD=yes
/etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr"
mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/
mount.nfs4: access denied by server while mounting mythtv:/data
log messages from daemon.log...
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened
/var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for
'mythtv.mydomain.local' is 'mythtv.mydomain.local'
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for
'mythtv.mydomain.local' is 'mythtv.mydomain.local'
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for
'root/mythtv.mydomain.local@'
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using
FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select
krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid
0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server
mythtv.mydomain.local
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server
nfs@mythtv.mydomain.local
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec:
Mar 30 19:26:55 mythtv rpc.gssd[2428]: mechanism_OID: { 1 2 134 72 134 247
18 1 2 2 }
Mar 30 19:26:55 mythtv rpc.gssd[2428]: qop: 0
Mar 30 19:26:55 mythtv rpc.gssd[2428]: service: 1
Mar 30 19:26:55 mythtv rpc.gssd[2428]: cred: 0x9690fc0
Mar 30 19:26:55 mythtv rpc.gssd[2428]: req_flags: 00000002
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1,
proc 1, seq 0, svc 1, ctx (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success
(0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success
(token 0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname =
root/mythtv.mydomain.local@MYREALM.LOCAL
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name
'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x
\x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx
(nil):0, maj 131072, min 0, win 128, token (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name
0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context
for user with uid 0 for server mythtv.mydomain.local
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context
for user with uid 0 with credentials cache
FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context
for user with uid 0 with any credentials cache for server mythtv.mydomain.local
Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall!
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed
/var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52
msc
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nfs-kernel-server depends on:
ii libblkid1 1.41.3-1 block device id library
ii libc6 2.9-6 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libgssglue1 0.1-2 mechanism-switch gssapi library
ii libkrb53 1.6.dfsg.4~beta1-12 Transitional library package/krb4
ii libnfsidmap2 0.21-2 An nfs idmapping library
ii librpcsecgss3 0.18-1 allows secure rpc communication us
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip
ii nfs-common 1:1.1.4-1 NFS support files common to client
ii ucf 3.0018 Update Configuration File: preserv
nfs-kernel-server recommends no packages.
nfs-kernel-server suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Closing this due to lack of response.
Ben.
--
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein
signature.asc
Description: This is a digitally signed message part
--- End Message ---
