[Bug 1280316] [NEW] nfs4+krb mount on client - if 'hostname' returns fqdn mount doesn't work

Longina Przybyszewska longina at sdu.dk
Fri Feb 14 14:45:26 UTC 2014 

Public bug reported:

I have problem with mountning NFS4 file  with Kerberos security ( I can  mount without Kerberos security)
 
Both test machines run Ubuntu-saucy
I have  the nfs4 server which joined to AD  with ‘msktutil’ :
Server’s /etc/krb5.keytab
 
klist –ke 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 SERVER$@DOMAIN.ORG (arcfour-hmac) 
   3 SERVER$@DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   3 SERVER$@DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   3 host/server.domain.org at DOMAIN.ORG (arcfour-hmac) 
   3 host/server.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   3 host/server.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   3 nfs/server.domain.org at DOMAIN.ORG (arcfour-hmac) 
   3 nfs/server.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   3 nfs/server.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96)
 
Then, joined client machine to AD with ‘realm’ command:
 
 
alongina at client:~$ sudo realm join --verbose -U USER --computer-ou OU="Linux computers",OU=ADResources  domain.org
[sudo] password for alongina: 
 * Resolving: _ldap._tcp.domain.org
* Performing LDAP DSE lookup on: 10.144.5.17
* Performing LDAP DSE lookup on: 10.144.5.18
* Successfully discovered: domain.org
Password for USER: 
 * Unconditionally checking packages
* Resolving required packages
* Installing necessary packages: samba-common-bin
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads join domain.org createcomputer=ADResources/Linux computers
Enter USER's password:
DNS update failed!
Using short domain name – AAA-BBB
Joined 'CLIENT' to dns domain 'domain.org'
No DNS domain configured for client. Unable to perform DNS Update.
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads keytab create
Enter USER's password:
* /usr/sbin/update-rc.d sssd enable
update-rc.d: /etc/init.d/sssd: file does not exist
* /usr/sbin/service sssd restart
sssd stop/waiting
sssd start/running, process 3597
* Successfully enrolled machine in realm
 
==============0000000=========
klist –ke
 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/client.domain.org at DOMAIN.ORG (des-cbc-crc) 
   4 host/client.domain.org at DOMAIN.ORG (des-cbc-md5) 
   4 host/client.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   4 host/client.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   4 host/client.domain.org at DOMAIN.ORG (arcfour-hmac) 
   4 host/CLIENT at DOMAIN.ORG (des-cbc-crc) 
   4 host/CLIENT at DOMAIN.ORG (des-cbc-md5) 
   4 host/CLIENT at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   4 host/CLIENT at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   4 host/CLIENT at DOMAIN.ORG (arcfour-hmac) 
   4 CLIENT$@DOMAIN.ORG (des-cbc-crc) 
   4 CLIENT$@DOMAIN.ORG (des-cbc-md5) 
   4 CLIENT$@DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   4 CLIENT$@DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   4 CLIENT$@DOMAIN.ORG (arcfour-hmac)
 
 
=================================================================
 
root at client:/export/alongina# mount -t nfs4 server.domain.org:/nfs4/server /mnt/server -o sec=krb5
mount.nfs4: access denied by server while mounting server.domain.org:/nfs4/server
 
client:
/var/log/syslog
 
eb 11 16:00:39 client rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clntb)
Feb 11 16:00:39 client rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Feb 11 16:00:39 client rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntb)
Feb 11 16:00:39 client rpc.gssd[708]: process_krb5_upcall: service is '<null>'
Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'server.domain.org' is 'server.domain.org'
Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'client.domain.org' is 'client.domain.org'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for CLIENT.DOMAIN.ORG$@DOMAIN.ORG while getting keytab entry for 'CLIENT.DOMAIN.ORG$@DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for root/client.domain.org at DOMAIN.ORG while getting keytab entry for 'root/client.domain.org at DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for nfs/client.domain.org at DOMAIN.ORG while getting keytab entry for 'nfs/client.domain.org at DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for 'host/client.domain.org at DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/client.domain.org at DOMAIN.ORG' using keytab 'FILE:/etc/krb5.keytab'
Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server server.domain.org
Feb 11 16:00:39 client rpc.gssd[708]: doing error downcall
Is it mismatch with encryption typs?
Problem with DNS ?
Client machine is missing reverse addresse in DNS…
host client.domain.org
client.domain.org has address 10.80.8.54

** Affects: nfs-utils (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1280316

Title:
  nfs4+krb mount on client - if 'hostname' returns fqdn mount doesn't
  work

Status in “nfs-utils” package in Ubuntu:
  New

Bug description:
  I have problem with mountning NFS4 file  with Kerberos security ( I can  mount without Kerberos security)
   
  Both test machines run Ubuntu-saucy
  I have  the nfs4 server which joined to AD  with ‘msktutil’ :
  Server’s /etc/krb5.keytab
   
  klist –ke 
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------------
     3 SERVER$@DOMAIN.ORG (arcfour-hmac) 
     3 SERVER$@DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     3 SERVER$@DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
     3 host/server.domain.org at DOMAIN.ORG (arcfour-hmac) 
     3 host/server.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     3 host/server.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
     3 nfs/server.domain.org at DOMAIN.ORG (arcfour-hmac) 
     3 nfs/server.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     3 nfs/server.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96)
   
  Then, joined client machine to AD with ‘realm’ command:
   
   
  alongina at client:~$ sudo realm join --verbose -U USER --computer-ou OU="Linux computers",OU=ADResources  domain.org
  [sudo] password for alongina: 
   * Resolving: _ldap._tcp.domain.org
  * Performing LDAP DSE lookup on: 10.144.5.17
  * Performing LDAP DSE lookup on: 10.144.5.18
  * Successfully discovered: domain.org
  Password for USER: 
   * Unconditionally checking packages
  * Resolving required packages
  * Installing necessary packages: samba-common-bin
  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads join domain.org createcomputer=ADResources/Linux computers
  Enter USER's password:
  DNS update failed!
  Using short domain name – AAA-BBB
  Joined 'CLIENT' to dns domain 'domain.org'
  No DNS domain configured for client. Unable to perform DNS Update.
  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads keytab create
  Enter USER's password:
  * /usr/sbin/update-rc.d sssd enable
  update-rc.d: /etc/init.d/sssd: file does not exist
  * /usr/sbin/service sssd restart
  sssd stop/waiting
  sssd start/running, process 3597
  * Successfully enrolled machine in realm
   
  ==============0000000=========
  klist –ke
   
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------------
     4 host/client.domain.org at DOMAIN.ORG (des-cbc-crc) 
     4 host/client.domain.org at DOMAIN.ORG (des-cbc-md5) 
     4 host/client.domain.org at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     4 host/client.domain.org at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
     4 host/client.domain.org at DOMAIN.ORG (arcfour-hmac) 
     4 host/CLIENT at DOMAIN.ORG (des-cbc-crc) 
     4 host/CLIENT at DOMAIN.ORG (des-cbc-md5) 
     4 host/CLIENT at DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     4 host/CLIENT at DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
     4 host/CLIENT at DOMAIN.ORG (arcfour-hmac) 
     4 CLIENT$@DOMAIN.ORG (des-cbc-crc) 
     4 CLIENT$@DOMAIN.ORG (des-cbc-md5) 
     4 CLIENT$@DOMAIN.ORG (aes128-cts-hmac-sha1-96) 
     4 CLIENT$@DOMAIN.ORG (aes256-cts-hmac-sha1-96) 
     4 CLIENT$@DOMAIN.ORG (arcfour-hmac)
   
   
  =================================================================
   
  root at client:/export/alongina# mount -t nfs4 server.domain.org:/nfs4/server /mnt/server -o sec=krb5
  mount.nfs4: access denied by server while mounting server.domain.org:/nfs4/server
   
  client:
  /var/log/syslog
   
  eb 11 16:00:39 client rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clntb)
  Feb 11 16:00:39 client rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
  Feb 11 16:00:39 client rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntb)
  Feb 11 16:00:39 client rpc.gssd[708]: process_krb5_upcall: service is '<null>'
  Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'server.domain.org' is 'server.domain.org'
  Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'client.domain.org' is 'client.domain.org'
  Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for CLIENT.DOMAIN.ORG$@DOMAIN.ORG while getting keytab entry for 'CLIENT.DOMAIN.ORG$@DOMAIN.ORG'
  Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for root/client.domain.org at DOMAIN.ORG while getting keytab entry for 'root/client.domain.org at DOMAIN.ORG'
  Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for nfs/client.domain.org at DOMAIN.ORG while getting keytab entry for 'nfs/client.domain.org at DOMAIN.ORG'
  Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for 'host/client.domain.org at DOMAIN.ORG'
  Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/client.domain.org at DOMAIN.ORG' using keytab 'FILE:/etc/krb5.keytab'
  Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server server.domain.org
  Feb 11 16:00:39 client rpc.gssd[708]: doing error downcall
  Is it mismatch with encryption typs?
  Problem with DNS ?
  Client machine is missing reverse addresse in DNS…
  host client.domain.org
  client.domain.org has address 10.80.8.54

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1280316/+subscriptions

More information about the foundations-bugs mailing list