nfs/kerberos problems
Hi list, I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what I did: first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works changed the following on /etc/default/nfs-kernel-server: NEED_SVCGSSD=yes RPCSVCGSSDOPTS=-vvv then I installed ntp on both servers On the nfs/kerberos server ubuntuhardy1 aptitude install krb5-admin-server krb5-kdc edit /etc/hosts 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost 192.168.0.109 ubuntuhardy1.localhost.network 192.168.0.110 ubuntuhardy2.localhost.network change hostname hostname ubuntuhardy1.localhost.network edit /etc/krb5.conf [libdefaults] default_realm = LOCALHOST.NETWORK [realms] LOCALHOST.NETWORK = { kdc = ubuntuhardy1.localhost.network admin_server = ubuntuhardy1.localhost.network default_domain = localhost.network } [domain_realm] localhost.network = LOCALHOST.NETWORK .localhost.network = LOCALHOST.NETWORK [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log change /etc/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] LOCALHOST.NETWORK = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } create realm: kdb5_util create -s loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCALHOST.NETWORK', master key name 'K/m...@localhost.network' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: restarted kerberos /etc/init.d/krb5-admin-server restart /etc/init.d/krb5-kdc restart Nu kunt u uw meer benaderen met het volegnde commando: started kadmin kadmin.local aded user: addprinc admin/admin added Host key for the server: addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network add princial to local key table meer ktadd host/ubuntuhardy1.localhost.netw...@localhost.network output: Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. edit /etc/exports /var/www gss/krb5i(rw,sync) restarted nfs server on the client ubuntuhardy2: edit /etc/hosts 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost 192.168.0.110 ubuntuhardy2.localhost.network 192.168.0.109 ubuntuhardy1.localhost.network install software aptitude install krb5-user krb5-clients libpam-krb5 copied /etc/krb5.conf from server tested kerberos access: kinit admin/admin and got this output: Password for admin/ad...@localhost.network: logged in again on the SERVER kadmin added principal for client ubuntuhardy2 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey nfs/ubuntuhardy2.localhost.network client logged in on the client: kinit admin/admin Password for admin/ad...@localhost.network: r add principal for client kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network WARNING: no policy specified for nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no policy Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” created. create key in keytab kadmin: ktadd nfs/ubuntuhardy2.localhost.network Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit then I try to mount the nfs share mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www /mnt/websites/ I get mount.nfs: access denied by server while mounting ubuntuhardy1.localhost.network:/var/www and in /var/log/daemon.log on the server ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for /var/www (/var/www) Does anyone know what I am doing wrong? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: nfs/kerberos problems
On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmullerchan...@antenna.nl wrote: Hi list, I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what I did: first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works changed the following on /etc/default/nfs-kernel-server: NEED_SVCGSSD=yes RPCSVCGSSDOPTS=-vvv then I installed ntp on both servers On the nfs/kerberos server ubuntuhardy1 aptitude install krb5-admin-server krb5-kdc edit /etc/hosts 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost 192.168.0.109 ubuntuhardy1.localhost.network 192.168.0.110 ubuntuhardy2.localhost.network change hostname hostname ubuntuhardy1.localhost.network edit /etc/krb5.conf [libdefaults] default_realm = LOCALHOST.NETWORK [realms] LOCALHOST.NETWORK = { kdc = ubuntuhardy1.localhost.network admin_server = ubuntuhardy1.localhost.network default_domain = localhost.network } [domain_realm] localhost.network = LOCALHOST.NETWORK .localhost.network = LOCALHOST.NETWORK [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log change /etc/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] LOCALHOST.NETWORK = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } create realm: kdb5_util create -s loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCALHOST.NETWORK', master key name 'K/m...@localhost.network' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: restarted kerberos /etc/init.d/krb5-admin-server restart /etc/init.d/krb5-kdc restart Nu kunt u uw meer benaderen met het volegnde commando: started kadmin kadmin.local aded user: addprinc admin/admin added Host key for the server: addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network add princial to local key table meer ktadd host/ubuntuhardy1.localhost.netw...@localhost.network output: Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. edit /etc/exports /var/www gss/krb5i(rw,sync) restarted nfs server on the client ubuntuhardy2: edit /etc/hosts 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost 192.168.0.110 ubuntuhardy2.localhost.network 192.168.0.109 ubuntuhardy1.localhost.network install software aptitude install krb5-user krb5-clients libpam-krb5 copied /etc/krb5.conf from server tested kerberos access: kinit admin/admin and got this output: Password for admin/ad...@localhost.network: logged in again on the SERVER kadmin added principal for client ubuntuhardy2 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey nfs/ubuntuhardy2.localhost.network client logged in on the client: kinit admin/admin Password for admin/ad...@localhost.network: r add principal for client kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network WARNING: no policy specified for nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no policy Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” created. create key in keytab kadmin: ktadd nfs/ubuntuhardy2.localhost.network Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit then I try to mount the nfs share mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www /mnt/websites/ I get mount.nfs: access denied by server while mounting ubuntuhardy1.localhost.network:/var/www and in /var/log/daemon.log on the server ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for /var/www (/var/www) Does anyone know what I am doing wrong? Currently, you
Re: nfs/kerberos problems
added principal for client ubuntuhardy2 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey nfs/ubuntuhardy2.localhost.network client logged in on the client: kinit admin/admin Password for admin/ad...@localhost.network: r add principal for client kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network It appears you created the host/ubuntuhardy2.localhost.network principal but did not extract the host key to the local keytab file on ubuntuhardy2, as you did with /ubuntuhardy1. I believe that is required; if I'm wrong someone please correct me. Cheers -- Steve Glasser sgla9...@gmail.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Johnny Russ wrote: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netid...@secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netid...@secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. I just sent an email to netid...@secure-endpoints.com with the requested dump files for explorer.exe and netidmgr.exe. Thanks for checking into this, I have had to stop using netidmgr until I can figure out a fix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Status 0x96c73ac3 - No credentials cache found
Hello, I have installed kerberos v5 on aix, the principle account has been created Ok on the AD server. But when I try and run kinit on the unix side I get: ktutil: rkt /etc/krb5/uk0108.keytab ktutil: list slot KVNO Principal -- -- -- 1 5 host/uk0108.bxc@bxc.com ktutil: wkt /etc/krb5/krb5.keytab ktutil: quit kinit -kt /etc/krb5/krb5.keytab Unable to obtain initial credentials. Status 0x96c73ab5 - Key table entry not found. Now I have googled this error, I can confirm, that I can resolv correctly both forward and reverse lookups usng dig and host for the fqdn. That the config file is correct with the domain name. I have used tcpdump on the inteface and althought I see connections to port 88 on the AD side, there is nothing being passed. I am running this as root. Should I create the principle account (uk0108) also on the unix side and run the above commands as that use? Does anybody have any other avenues I can investigate. My conf file is: [libdefaults] default_realm = BXC.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] BXC.COM = { kdc = ukad01.bxc.com:88 admin_server = uk0108.bxc.com:749 default_domain = bxc.com } [domain_realm] .bxc.com = BXC.COM uk0108.bxc.com = BXC.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log thanks dxtans Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Status 0x96c73ac3 - No credentials cache found
You will need to specify the principle you wish to use when running kinit. This is because keytabs can contain multiple principles. ie; kinit -kt /etc/krb5/krb5.keytab host/uk0108.bxc@bxc.com Hope this helps! Cheers, Edward On Tue, 2009-08-18 at 13:04 -0700, dxtans wrote: Hello, I have installed kerberos v5 on aix, the principle account has been created Ok on the AD server. But when I try and run kinit on the unix side I get: ktutil: rkt /etc/krb5/uk0108.keytab ktutil: list slot KVNO Principal -- -- -- 1 5 host/uk0108.bxc@bxc.com ktutil: wkt /etc/krb5/krb5.keytab ktutil: quit kinit -kt /etc/krb5/krb5.keytab Unable to obtain initial credentials. Status 0x96c73ab5 - Key table entry not found. Now I have googled this error, I can confirm, that I can resolv correctly both forward and reverse lookups usng dig and host for the fqdn. That the config file is correct with the domain name. I have used tcpdump on the inteface and althought I see connections to port 88 on the AD side, there is nothing being passed. I am running this as root. Should I create the principle account (uk0108) also on the unix side and run the above commands as that use? Does anybody have any other avenues I can investigate. My conf file is: [libdefaults] default_realm = BXC.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] BXC.COM = { kdc = ukad01.bxc.com:88 admin_server = uk0108.bxc.com:749 default_domain = bxc.com } [domain_realm] .bxc.com = BXC.COM uk0108.bxc.com = BXC.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log thanks dxtans Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Johnny Russ wrote: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Danny Mayer wrote: I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny Danny: I have to say this sounds extremely unlikely.If you have any evidence to back up this theory I would love to see it. The problem that Mr Russ is experiencing appears to be related to interactions with Offline Folders and OpenAFS Pioctls. I am following up with him to collect additional information. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos