Bug#521878: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping

Markus Schulz Mon, 30 Mar 2009 10:46:19 -0700

Package: nfs-kernel-server
Version: 1:1.1.4-1
Severity: important

it's impossible to mount a nfs4 share with kerberos5 security on current sid 
systems.
the problem looks like from here:(full log below)
Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name 
'root/mythtv.mydomain.lo...@myrealm.local' to uid/gid: Invalid argument


i have found some hints that this problem comes from libnfsidmap2 with google. 
(http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid 
version seems to be really old.
i hope this will help to find the bug.

test setup:
krb5-kdc, nfs-server and client on same machine (for first testing
    purpose)

MYREALM.LOCAL and mydomain.local are equal in my test setup.

/etc/krb5.conf 
######################################>%
[libdefaults]
          default_realm = MYREALM.LOCAL
#       dns_lookup_realm = true
#       dns_lookup_kdc = false
[realms]
          MYREALM.LOCAL = {
                    kdc = mythtv.mydomain.local
                      admin_server = mythtv.mydomain.local
                      default_domain = mydomain.local
              }
[domain_realm]
     .mydomain.local = MYREALM.LOCAL
%<#####################################

mythtv:~# klist -e -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32) 
   3 root/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32) 

/etc/exports:
/data       gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt)
/           gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt) 


mythtv:~# egrep -v "^#|^$" /etc/default/nfs-* 
/etc/default/nfs-common:NEED_STATD=
/etc/default/nfs-common:STATDOPTS=
/etc/default/nfs-common:NEED_IDMAPD=yes
/etc/default/nfs-common:NEED_GSSD=yes
/etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr"
/etc/default/nfs-kernel-server:RPCNFSDCOUNT=8
/etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0
/etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids
/etc/default/nfs-kernel-server:NEED_SVCGSSD=yes
/etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr"


mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/
mount.nfs4: access denied by server while mounting mythtv:/data


log messages from daemon.log...

Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened 
/var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 
'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 
'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for 
'root/mythtv.mydomain.local@' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using 
FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid 
0) 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server 
mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server 
n...@mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec: 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      mechanism_OID: { 1 2 134 72 134 247 
18 1 2 2 } 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      qop: 0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      service: 1 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      cred: 0x9690fc0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      req_flags: 00000002 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1, 
proc 1, seq 0, svc 1, ctx (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success 
(0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success 
(token 0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname = 
root/mythtv.mydomain.lo...@myrealm.local 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name 
'root/mythtv.mydomain.lo...@myrealm.local' to uid/gid: Invalid argument 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x 
\x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx 
(nil):0, maj 131072, min 0, win 128, token (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name 
0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context 
for user with uid 0 for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context 
for user with uid 0 with credentials cache 
FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context 
for user with uid 0 with any credentials cache for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall! 
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed 
/var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52 


msc

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1            1.41.3-1            block device id library
ii  libc6                2.9-6               GNU C Library: Shared libraries
ii  libcomerr2           1.41.3-1            common error description library
ii  libgssglue1          0.1-2               mechanism-switch gssapi library
ii  libkrb53             1.6.dfsg.4~beta1-12 Transitional library package/krb4 
ii  libnfsidmap2         0.21-2              An nfs idmapping library
ii  librpcsecgss3        0.18-1              allows secure rpc communication us
ii  libwrap0             7.6.q-16            Wietse Venema's TCP wrappers libra
ii  lsb-base             3.2-22              Linux Standard Base 3.2 init scrip
ii  nfs-common           1:1.1.4-1           NFS support files common to client
ii  ucf                  3.0018              Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#521878: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping

Reply via email to