SecureNFS - Trouble migrating from SL5.5 to SL6, rpc.gssd errors
| This forum is proudly powered by Scientific Linux 6 | SL website Download SL Help Search Members |
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
   |
SecureNFS - Trouble migrating from SL5.5 to SL6, rpc.gssd errors| sworkhard |
Posted: Jun 16 2011, 08:33 PM
|
|||||
|
SLF Newbie Group: Members Posts: 2 Member No.: 305 Joined: 16-June 11  |
I've been trying connect to our Secure NFS implimentation with krb5 1.9 and NFS3 on SL 6 but I consistently get teh error below. This configuration worked fine on SL5.5, and I was able to get it working on FC15, but this keeps failing on the local machine. KRB5.conf and the keytabs appear to be setup correctly, but I still get the following error:
Wireshark indicates that it doesn't try to connect. If anyone can point me in the right direction, or has seen this error before, I'd appreciate your feedback. Full Log of rpc.gssd -vvvv
|
|||||
|
||||||
| helikaon |
Posted: Jun 20 2011, 10:29 AM
|
|
 SLF Moderator  Group: Moderators Posts: 514 Member No.: 4 Joined: 8-April 11 |
Hi,
just read it, but that made not hint to me so far. Just few Q for the start - did you check: - NFS protocol version on server and client/s (version 3 x 4) - did you check the firewall - ports stated in /etc/sysconfig/nfs (if 'unhashed' any?), portmapper 111 allowed? - do you have services nfs, nfslock and rpcbind enabled in correct runlevels? Also can you post the kerberos configs from server and client .... and also ... anything else in logs ... /var/log/messages nothing? /var/log/secure nothing?? The more you post, the better :-) p.s. did you look e.g.: secure NFS fedora wiki cheers, -------------------- |
|
|
||
| sworkhard |
Posted: Jul 4 2011, 05:41 PM
|
|
|
SLF Newbie Group: Members Posts: 2 Member No.: 305 Joined: 16-June 11 |
Thanks. I'll try that guide and see if I can pass that test first.
|
|
|
|
||
| michiel_ph |
Posted: Sep 13 2011, 10:21 AM
|
|
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
Was this issue resolved somehow? I'm having very similar problems with rpc.gssd and spent the last few days getting it to work properly.
|
|
|
|
||
| helikaon |
Posted: Sep 14 2011, 04:43 AM
|
|
|
SLF Moderator Group: Moderators Posts: 514 Member No.: 4 Joined: 8-April 11 |
Hi,
i dont know how this ended for sworkhard, but would be nice to know :-). Anyway, if you'd describe your environment and problems, then we could help ... The NFS is sometimes tricky and also! default in rhel 5.5 is NFS v3 and in RHEL 6 is NFS v4, this should be remembered .. cheers, -------------------- |
|
|
|
||
| michiel_ph |
Posted: Sep 14 2011, 09:17 AM
|
|
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
Thanks for the response.
My problem is that rpc.gssd crashes with a segfault. The system is a fresh SL-6.1 install with all updates applied. NFSv4 works perfectly with auth=sys, not functional with the desired kerberos auth. I can deal with misconfigurations, not with crashes. My first question is, did this ever work for someone with SL-6.1 or RHEL-6.1 ? |
|
|
|
||
| helikaon |
Posted: Sep 14 2011, 09:23 AM
|
|
|
SLF Moderator Group: Moderators Posts: 514 Member No.: 4 Joined: 8-April 11 |
Hi,
can't help much on your Q. since the NFS v.4 is still a bit new for me. I can recommend you to use the 'strace' command and see where exactly the binary crashes. It might give us / you lead where to look for the problem ... cheers, -------------------- |
|
|
|
||
| michiel_ph |
Posted: Sep 14 2011, 11:50 AM
|
|||
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
Thanks for the advice. The strace output didn't tell me much, posting the tail of it here just in case someone else understands better. In the mean time, i'll continue looking..
|
|||
|
|
||||
| helikaon |
Posted: Sep 14 2011, 02:44 PM
|
|||
|
SLF Moderator Group: Moderators Posts: 514 Member No.: 4 Joined: 8-April 11 |
Hi, try check the /etc/gssapi_mech.conf and the libraries it mentions, also have a look in whole strace, if any here mentioned library is missing, try look for any other 'error' there etc ... cheers, -------------------- |
|||
|
|
||||
| michiel_ph |
Posted: Sep 14 2011, 03:28 PM
|
|
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
again, thanks for the help.
I guess, help from the developers is needed. About half the time rpc.gssd crashes, or i get the error mentioned by the original poster. Without support contract with RH, it will be virtually impossible to get a developers attention  Apparently NFSv4 with kerberos isn't used anywhere and therefore not tested. The gssapi_mech.conf chooses between GSSAPI implementations. In my case kerberos is needed. What i understand from the documentation, the other options are certificates. I had this working with Fedora-13 and -14 at home. That was broken for the same reason with -15. And now, SL seems to have the same problem. |
|
|
|
||
| helikaon |
Posted: Sep 14 2011, 06:30 PM
|
|||||
|
SLF Moderator Group: Moderators Posts: 514 Member No.: 4 Joined: 8-April 11 |
Hi, i found this: Kerberos issues Check hostnames Kerberos requires the hostname/domainname used in the keytab is correct. Run `hostname` and look in /etc/hosts to doublecheck that it is set properly. Compare with what you've listed in your keytab file. Check keytabs Run the following command to check your keytab:
Check krb5 ccache file If you see log messages regarding something like 'FILE:/tmp/krb5cc_machine_FOO.BAR.AD.ROOT', you can review the file after trying to do the mount via:
This will list info about your principals such as the valid/expire dates, encryption types, etc. this is found at nfs wiki: NFS wiki cheers, -------------------- |
|||||
|
|
||||||
| zzxtty |
Posted: Sep 15 2011, 09:26 AM
|
|||||
|
SLF Newbie Group: Members Posts: 7 Member No.: 322 Joined: 21-June 11 |
I have similar problems with kerberos/nfs not working under 6.1. rpc.gssd will crash for me under certain circumstances, it appears to relate to the number of '-v' I use, '-vv' usually works, '-vvv' usually crashes. I've checked the /etc/gssapi_mech.conf files on a working 6.0 machine vs a problematic 6.1 machine, they are the same. On a working 6.0 machine I have the following tickets:
On the 6.1 machine:
This tells me that the client machine has failed to get a ticket from the disk server (hawker), but my knowledge of kerberos is limited. It's something I'm trying to get working but haven't been able to get very far, SL6.0 was the only version that has shown any promise of actually working. I suppose this raises the question, if kerberos/nfs doesn't work, how do people authenticate their NFS clients? |
|||||
|
|
||||||
| michiel_ph |
Posted: Sep 15 2011, 09:30 AM
|
|
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
helikaon: Very useful tips indeed.
I wonder whether SL-6.1 supports the stronger encryptions for NFS. In various places i saw instructions to use DES only for NFS. Other places mentions newer kernels and/or distros support the stronger encryptions like AES. Using google, the closest match to our problems seems to be: http://permalink.gmane.org/gmane.linux.nfs/41950 . What a mess... Anyway, thanks for the help so far. Mvg, Michiel |
|
|
|
||
| michiel_ph |
Posted: Feb 18 2012, 06:04 PM
|
|
|
SLF Newbie Group: Members Posts: 14 Member No.: 833 Joined: 13-September 11 |
With SL-6.2, the problems have disappeared.
|
|
|
|
||
 |
|