nfs/kerberos problems
Hi list,
I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what
I did:
first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs
mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works
changed the following on /etc/default/nfs-kernel-server:
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=-vvv
then I installed ntp on both servers
On the nfs/kerberos server ubuntuhardy1
aptitude install krb5-admin-server krb5-kdc
edit /etc/hosts
127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
192.168.0.109 ubuntuhardy1.localhost.network
192.168.0.110 ubuntuhardy2.localhost.network
change hostname
hostname ubuntuhardy1.localhost.network
edit /etc/krb5.conf
[libdefaults]
default_realm = LOCALHOST.NETWORK
[realms]
LOCALHOST.NETWORK = {
kdc = ubuntuhardy1.localhost.network
admin_server = ubuntuhardy1.localhost.network
default_domain = localhost.network
}
[domain_realm]
localhost.network = LOCALHOST.NETWORK
.localhost.network = LOCALHOST.NETWORK
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
change /etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
[realms]
LOCALHOST.NETWORK = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
create realm:
kdb5_util create -s
loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm
'LOCALHOST.NETWORK',
master key name 'K/m...@localhost.network'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
restarted kerberos
/etc/init.d/krb5-admin-server restart
/etc/init.d/krb5-kdc restart Nu kunt u uw meer benaderen met het volegnde
commando:
started kadmin
kadmin.local
aded user:
addprinc admin/admin
added Host key for the server:
addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network
add princial to local key table meer
ktadd host/ubuntuhardy1.localhost.netw...@localhost.network
output:
Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network
with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
keytab WRFILE:/etc/krb5.keytab. Entry for principal
host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption
type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
edit /etc/exports
/var/www gss/krb5i(rw,sync)
restarted nfs server
on the client ubuntuhardy2:
edit /etc/hosts
127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
192.168.0.110 ubuntuhardy2.localhost.network
192.168.0.109 ubuntuhardy1.localhost.network
install software
aptitude install krb5-user krb5-clients libpam-krb5
copied /etc/krb5.conf from server
tested kerberos access:
kinit admin/admin
and got this output:
Password for admin/ad...@localhost.network:
logged in again on the SERVER
kadmin
added principal for client ubuntuhardy2
addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey
nfs/ubuntuhardy2.localhost.network
client
logged in on the client:
kinit admin/admin
Password for admin/ad...@localhost.network: r
add principal for client
kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network
WARNING: no policy specified for
nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no policy
Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” created.
create key in keytab
kadmin: ktadd nfs/ubuntuhardy2.localhost.network
Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab. Entry for principal
nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode
with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
then I try to mount the nfs share
mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www
/mnt/websites/
I get
mount.nfs: access denied by server while mounting
ubuntuhardy1.localhost.network:/var/www
and in /var/log/daemon.log on the server
ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for
/var/www (/var/www)
Does anyone know what I am doing wrong?
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: nfs/kerberos problems
On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmullerchan...@antenna.nl wrote:
Hi list,
I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what
I did:
first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs
mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works
changed the following on /etc/default/nfs-kernel-server:
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=-vvv
then I installed ntp on both servers
On the nfs/kerberos server ubuntuhardy1
aptitude install krb5-admin-server krb5-kdc
edit /etc/hosts
127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
192.168.0.109 ubuntuhardy1.localhost.network
192.168.0.110 ubuntuhardy2.localhost.network
change hostname
hostname ubuntuhardy1.localhost.network
edit /etc/krb5.conf
[libdefaults]
default_realm = LOCALHOST.NETWORK
[realms]
LOCALHOST.NETWORK = {
kdc = ubuntuhardy1.localhost.network
admin_server = ubuntuhardy1.localhost.network
default_domain = localhost.network
}
[domain_realm]
localhost.network = LOCALHOST.NETWORK
.localhost.network = LOCALHOST.NETWORK
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
change /etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
[realms]
LOCALHOST.NETWORK = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
create realm:
kdb5_util create -s
loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm
'LOCALHOST.NETWORK',
master key name 'K/m...@localhost.network'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
restarted kerberos
/etc/init.d/krb5-admin-server restart
/etc/init.d/krb5-kdc restart Nu kunt u uw meer benaderen met het volegnde
commando:
started kadmin
kadmin.local
aded user:
addprinc admin/admin
added Host key for the server:
addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network
add princial to local key table meer
ktadd host/ubuntuhardy1.localhost.netw...@localhost.network
output:
Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network
with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
keytab WRFILE:/etc/krb5.keytab. Entry for principal
host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption
type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
edit /etc/exports
/var/www gss/krb5i(rw,sync)
restarted nfs server
on the client ubuntuhardy2:
edit /etc/hosts
127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
192.168.0.110 ubuntuhardy2.localhost.network
192.168.0.109 ubuntuhardy1.localhost.network
install software
aptitude install krb5-user krb5-clients libpam-krb5
copied /etc/krb5.conf from server
tested kerberos access:
kinit admin/admin
and got this output:
Password for admin/ad...@localhost.network:
logged in again on the SERVER
kadmin
added principal for client ubuntuhardy2
addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey
nfs/ubuntuhardy2.localhost.network
client
logged in on the client:
kinit admin/admin
Password for admin/ad...@localhost.network: r
add principal for client
kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network
WARNING: no policy specified for
nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no policy
Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” created.
create key in keytab
kadmin: ktadd nfs/ubuntuhardy2.localhost.network
Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab. Entry for principal
nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode
with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
then I try to mount the nfs share
mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www
/mnt/websites/
I get
mount.nfs: access denied by server while mounting
ubuntuhardy1.localhost.network:/var/www
and in /var/log/daemon.log on the server
ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for
/var/www (/var/www)
Does anyone know what I am doing wrong?
Currently, you
Re: nfs/kerberos problems
added principal for client ubuntuhardy2 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey nfs/ubuntuhardy2.localhost.network client logged in on the client: kinit admin/admin Password for admin/ad...@localhost.network: r add principal for client kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network It appears you created the host/ubuntuhardy2.localhost.network principal but did not extract the host key to the local keytab file on ubuntuhardy2, as you did with /ubuntuhardy1. I believe that is required; if I'm wrong someone please correct me. Cheers -- Steve Glasser sgla9...@gmail.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Johnny Russ wrote: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netid...@secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netid...@secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. I just sent an email to netid...@secure-endpoints.com with the requested dump files for explorer.exe and netidmgr.exe. Thanks for checking into this, I have had to stop using netidmgr until I can figure out a fix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Status 0x96c73ac3 - No credentials cache found
Hello,
I have installed kerberos v5 on aix, the principle account has been
created Ok on the AD server.
But when I try and run kinit on the unix side I get:
ktutil: rkt /etc/krb5/uk0108.keytab
ktutil: list
slot KVNO Principal
-- -- --
1 5 host/uk0108.bxc@bxc.com
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: quit
kinit -kt /etc/krb5/krb5.keytab
Unable to obtain initial credentials.
Status 0x96c73ab5 - Key table entry not found.
Now I have googled this error, I can confirm, that I can resolv
correctly both forward and reverse lookups usng dig and host for the
fqdn. That the config file is correct with the domain name.
I have used tcpdump on the inteface and althought I see connections to
port 88 on the AD side, there is nothing being passed.
I am running this as root. Should I create the principle account
(uk0108) also on the unix side and run the above commands as that use?
Does anybody have any other avenues I can investigate.
My conf file is:
[libdefaults]
default_realm = BXC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
BXC.COM = {
kdc = ukad01.bxc.com:88
admin_server = uk0108.bxc.com:749
default_domain = bxc.com
}
[domain_realm]
.bxc.com = BXC.COM
uk0108.bxc.com = BXC.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
thanks
dxtans
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Status 0x96c73ac3 - No credentials cache found
You will need to specify the principle you wish to use when running
kinit. This is because keytabs can contain multiple principles.
ie;
kinit -kt /etc/krb5/krb5.keytab host/uk0108.bxc@bxc.com
Hope this helps!
Cheers,
Edward
On Tue, 2009-08-18 at 13:04 -0700, dxtans wrote:
Hello,
I have installed kerberos v5 on aix, the principle account has been
created Ok on the AD server.
But when I try and run kinit on the unix side I get:
ktutil: rkt /etc/krb5/uk0108.keytab
ktutil: list
slot KVNO Principal
-- -- --
1 5 host/uk0108.bxc@bxc.com
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: quit
kinit -kt /etc/krb5/krb5.keytab
Unable to obtain initial credentials.
Status 0x96c73ab5 - Key table entry not found.
Now I have googled this error, I can confirm, that I can resolv
correctly both forward and reverse lookups usng dig and host for the
fqdn. That the config file is correct with the domain name.
I have used tcpdump on the inteface and althought I see connections to
port 88 on the AD side, there is nothing being passed.
I am running this as root. Should I create the principle account
(uk0108) also on the unix side and run the above commands as that use?
Does anybody have any other avenues I can investigate.
My conf file is:
[libdefaults]
default_realm = BXC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
BXC.COM = {
kdc = ukad01.bxc.com:88
admin_server = uk0108.bxc.com:749
default_domain = bxc.com
}
[domain_realm]
.bxc.com = BXC.COM
uk0108.bxc.com = BXC.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
thanks
dxtans
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Johnny Russ wrote: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Danny Mayer wrote: I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny Danny: I have to say this sounds extremely unlikely.If you have any evidence to back up this theory I would love to see it. The problem that Mr Russ is experiencing appears to be related to interactions with Offline Folders and OpenAFS Pioctls. I am following up with him to collect additional information. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
