Debian Bug report logs - #521878
nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping

version graph

Package: nfs-kernel-server; Maintainer for nfs-kernel-server is Debian kernel team <debian-kernel@lists.debian.org>; Source for nfs-kernel-server is src:nfs-utils.

Reported by: Markus Schulz <msc@antzsystem.de>

Date: Mon, 30 Mar 2009 17:45:02 UTC

Severity: important

Found in versions nfs-utils/1:1.1.4-1, nfs-utils/1:1.2.1-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#521878; Package nfs-kernel-server. (Mon, 30 Mar 2009 17:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Schulz <msc@antzsystem.de>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Mon, 30 Mar 2009 17:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Markus Schulz <msc@antzsystem.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
Date: Mon, 30 Mar 2009 19:41:39 +0200
Package: nfs-kernel-server
Version: 1:1.1.4-1
Severity: important

it's impossible to mount a nfs4 share with kerberos5 security on current sid systems.
the problem looks like from here:(full log below)
Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument 

i have found some hints that this problem comes from libnfsidmap2 with google. (http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid version seems to be really old.
i hope this will help to find the bug.

test setup:
krb5-kdc, nfs-server and client on same machine (for first testing
    purpose)

MYREALM.LOCAL and mydomain.local are equal in my test setup.

/etc/krb5.conf 
######################################>%
[libdefaults]
          default_realm = MYREALM.LOCAL
#       dns_lookup_realm = true
#       dns_lookup_kdc = false
[realms]
          MYREALM.LOCAL = {
                    kdc = mythtv.mydomain.local
                      admin_server = mythtv.mydomain.local
                      default_domain = mydomain.local
              }
[domain_realm]
     .mydomain.local = MYREALM.LOCAL
%<#####################################

mythtv:~# klist -e -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) 
   3 root/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) 

/etc/exports:
/data       gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt)
/           gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt) 


mythtv:~# egrep -v "^#|^$" /etc/default/nfs-* 
/etc/default/nfs-common:NEED_STATD=
/etc/default/nfs-common:STATDOPTS=
/etc/default/nfs-common:NEED_IDMAPD=yes
/etc/default/nfs-common:NEED_GSSD=yes
/etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr"
/etc/default/nfs-kernel-server:RPCNFSDCOUNT=8
/etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0
/etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids
/etc/default/nfs-kernel-server:NEED_SVCGSSD=yes
/etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr"


mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/
mount.nfs4: access denied by server while mounting mythtv:/data


log messages from daemon.log...

Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for 'root/mythtv.mydomain.local@' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid 0) 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server nfs@mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec: 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      qop: 0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      service: 1 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      cred: 0x9690fc0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      req_flags: 00000002 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success (0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success (token 0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname = root/mythtv.mydomain.local@MYREALM.LOCAL 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x \x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx (nil):0, maj 131072, min 0, win 128, token (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall! 
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52 


msc

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1            1.41.3-1            block device id library
ii  libc6                2.9-6               GNU C Library: Shared libraries
ii  libcomerr2           1.41.3-1            common error description library
ii  libgssglue1          0.1-2               mechanism-switch gssapi library
ii  libkrb53             1.6.dfsg.4~beta1-12 Transitional library package/krb4 
ii  libnfsidmap2         0.21-2              An nfs idmapping library
ii  librpcsecgss3        0.18-1              allows secure rpc communication us
ii  libwrap0             7.6.q-16            Wietse Venema's TCP wrappers libra
ii  lsb-base             3.2-22              Linux Standard Base 3.2 init scrip
ii  nfs-common           1:1.1.4-1           NFS support files common to client
ii  ucf                  3.0018              Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information




Message sent on to Markus Schulz <msc@antzsystem.de>:
Bug#521878. (Sun, 19 Apr 2009 22:18:04 GMT) Full text and rfc822 format available.

Message #8 received at 521878-submitter@bugs.debian.org (full text, mbox):

From: Clint Adams <schizo@debian.org>
To: 521878-submitter@bugs.debian.org
Subject: nfs id mapping bug
Date: Sun, 19 Apr 2009 22:13:04 +0000
I ran into a similar problem, and putting

Local-Realm = MYREALM.LOCAL

in the [General] section of /etc/idmap.conf on the NFSv4 server solved
the problem.  This is undocumented:

https://bugzilla.linux-nfs.org/show_bug.cgi?id=169




Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#521878; Package nfs-kernel-server. (Fri, 05 Feb 2010 17:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giorgio Pioda <gfwp@ticino.com>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Fri, 05 Feb 2010 17:51:04 GMT) Full text and rfc822 format available.

Message #13 received at 521878@bugs.debian.org (full text, mbox):

From: Giorgio Pioda <gfwp@ticino.com>
To: Debian Bug Tracking System <521878@bugs.debian.org>
Subject: nfs-kernel-server: NFS4 works only with weak encryption (simple DES)
Date: Fri, 05 Feb 2010 18:52:59 +0100
Package: nfs-kernel-server
Version: 1:1.2.1-3
Severity: normal


Hi,

I got sec=krb5p running putting

allow_weak_crypto = true

in the /etc/krb5.conf at the [libdefaults] section

Apparently it is a regression of bug 413838.

Using ktadd -e des for nfs keys doesn't provide a solution
(it is an old workaround)
since simple DES is by default no more accepted and such an autentication
will fail unless the weak_crypo option is activated.

I hope to be able to use Triple DES in the next future

The bug is also registered in Ubuntu-launchpad as 512110

cheers

Giorgio Pioda aka gfwp

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=it_CH.UTF-8, LC_CTYPE=it_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1              2.16.2-0          block device id library
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libcomerr2             1.41.9-1          common error description library
ii  libgssapi-krb5-2       1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii  libgssglue1            0.1-4             mechanism-switch gssapi library
ii  libk5crypto3           1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii  libkrb5-3              1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii  libnfsidmap2           0.23-2            An nfs idmapping library
ii  librpcsecgss3          0.19-2            allows secure rpc communication us
ii  libwrap0               7.6.q-18          Wietse Venema's TCP wrappers libra
ii  lsb-base               3.2-23            Linux Standard Base 3.2 init scrip
ii  nfs-common             1:1.2.1-3         NFS support files common to client
ii  ucf                    3.0025            Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian kernel team <debian-kernel@lists.debian.org>:
Bug#521878; Package nfs-kernel-server. (Fri, 31 Dec 2010 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
Extra info received and forwarded to list. Copy sent to Debian kernel team <debian-kernel@lists.debian.org>. (Fri, 31 Dec 2010 15:39:03 GMT) Full text and rfc822 format available.

Message #18 received at 521878@bugs.debian.org (full text, mbox):

From: Daniel Pocock <daniel@pocock.com.au>
To: 521878@bugs.debian.org
Subject: adding workaround to README.Debian.nfsv4?
Date: Fri, 31 Dec 2010 16:28:32 +0100


Maybe this workaround needs to be added to the list of tips in:

/usr/share/doc/nfs-common/README.Debian.nfsv4

I've found the same problem

I've been trying to set up NFS4 between a lenny client and squeeze 
server with Kerberos

Client and server logs from kerberos have the following:

Dec 31 15:04:26 krb5kdc[5336]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 
a.b.c.d: ISSUE: authtime , etypes {rep=18 tkt=18 ses=18}, nfs/host@DOM 
for nfs/host@DOM

Dec 31 15:04:26 krb5kdc[5336]: TGS_REQ (1 etypes {1}) a.b.c.d: 
BAD_ENCRYPTION_TYPE: authtime 0,  nfs/host@DOM for nfs/host@DOM, KDC has 
no support for encryption type



When I put

allow_weak_crypto = yes

in /etc/krb5.conf it works immediately






Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:06:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.