Package: nfs-kernel-server Version: 1:1.1.4-1 Severity: important it's impossible to mount a nfs4 share with kerberos5 security on current sid systems. the problem looks like from here:(full log below) Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.lo...@myrealm.local' to uid/gid: Invalid argument
i have found some hints that this problem comes from libnfsidmap2 with google. (http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid version seems to be really old. i hope this will help to find the bug. test setup: krb5-kdc, nfs-server and client on same machine (for first testing purpose) MYREALM.LOCAL and mydomain.local are equal in my test setup. /etc/krb5.conf ######################################>% [libdefaults] default_realm = MYREALM.LOCAL # dns_lookup_realm = true # dns_lookup_kdc = false [realms] MYREALM.LOCAL = { kdc = mythtv.mydomain.local admin_server = mythtv.mydomain.local default_domain = mydomain.local } [domain_realm] .mydomain.local = MYREALM.LOCAL %<##################################### mythtv:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 nfs/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32) 3 root/mythtv.19.ros.03046....@19.ros.03046.com (DES cbc mode with CRC-32) /etc/exports: /data gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt) / gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt) mythtv:~# egrep -v "^#|^$" /etc/default/nfs-* /etc/default/nfs-common:NEED_STATD= /etc/default/nfs-common:STATDOPTS= /etc/default/nfs-common:NEED_IDMAPD=yes /etc/default/nfs-common:NEED_GSSD=yes /etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr" /etc/default/nfs-kernel-server:RPCNFSDCOUNT=8 /etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0 /etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids /etc/default/nfs-kernel-server:NEED_SVCGSSD=yes /etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr" mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/ mount.nfs4: access denied by server while mounting mythtv:/data log messages from daemon.log... Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52 Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for 'root/mythtv.mydomain.local@' Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 Mar 30 19:26:55 mythtv rpc.gssd[2428]: using FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid 0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server n...@mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default() Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create() Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488 Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8 Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh() Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec: Mar 30 19:26:55 mythtv rpc.gssd[2428]: mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } Mar 30 19:26:55 mythtv rpc.gssd[2428]: qop: 0 Mar 30 19:26:55 mythtv rpc.gssd[2428]: service: 1 Mar 30 19:26:55 mythtv rpc.gssd[2428]: cred: 0x9690fc0 Mar 30 19:26:55 mythtv rpc.gssd[2428]: req_flags: 00000002 Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success (0x96954a8:531) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success (token 0x96954a8:531) Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname = root/mythtv.mydomain.lo...@myrealm.local Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.lo...@myrealm.local' to uid/gid: Invalid argument Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x \x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115 Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate() Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx (nil):0, maj 131072, min 0, win 128, token (nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name 0x9691488 Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall! Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52 Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53 Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52 msc -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nfs-kernel-server depends on: ii libblkid1 1.41.3-1 block device id library ii libc6 2.9-6 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libgssglue1 0.1-2 mechanism-switch gssapi library ii libkrb53 1.6.dfsg.4~beta1-12 Transitional library package/krb4 ii libnfsidmap2 0.21-2 An nfs idmapping library ii librpcsecgss3 0.18-1 allows secure rpc communication us ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip ii nfs-common 1:1.1.4-1 NFS support files common to client ii ucf 3.0018 Update Configuration File: preserv nfs-kernel-server recommends no packages. nfs-kernel-server suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org