LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

August 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL August 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: nfs-utils-1.2.3-7 broken?
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Tue, 2 Aug 2011 11:40:34 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (255 lines)
Hi,
There are a few kerberos bugs in the krb5 libraries that come with SL 
6.1.  For whatever reason TUV updated from krb5 1.8 to 1.9, and we've 
been picking bugs out of our teeth ever since.

What happens if you leave the nfs-utils as the version in SL 6.1, and 
downgrade krb5 to version 1.8 (the version in SL 6.0)

Troy

On 08/02/2011 11:34 AM, Jonathan G. Underwood wrote:
> Hi,
>
> This is related to my previous mail about rpcsvcgssd possibly being broken
> due to a linking order issue in 6.1.
>
> However, I have also noticed the following problem:
>
> Having upgraded a client machine to 6.1, I am no longer able to mount nfs4
> shares requiring kerberos tickets. If i downgrade just the nfs-utils package
> to nfs-utils-1.2.2-7 from (6.0) then all works again.
>
> More detail: with the -v -v -v options passed to rpcgssd on the client
> machine, I see thefollowing in /var/log/messages for nfs-utils-1.2.3-7:
>
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c6e2b0 data 0x7fff19c6e180
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c69770 data 0x7fff19c69640
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c6e2b0 data 0x7fff19c6e180
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnta)
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: handle_gssd_upcall: 'mech=krb5 uid=0
> enctypes=18,17,16,23,3,1,2 '
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnta)
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: process_krb5_upcall: service is
> '<null>'
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Full hostname for
> 'oaxaca.theory.phys.ucl.ac.uk' is 'oaxaca.theory.phys.ucl.ac.uk'
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Full hostname for
> 'burroughs.theory.phys.ucl.ac.uk' is 'burroughs.theory.phys.ucl.ac.uk'
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: No key table entry found for
> [log in to unmask] while getting keyta
> b entry for [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: No key table entry found for
> [log in to unmask] while getting k
> eytab entry for [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Success getting keytab entry for
> [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312383729
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312383729
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: using
> FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK as credentials cache for machine
> creds
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: creating context using fsuid 0
> (save_uid 0)
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: ERROR: GSS-API: error in
> gss_set_allowable_enctypes(): GSS_S_NO_CRED (No credentials were supplied, or
> the credentials were unavailable or inaccessible) - Unknown error
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Failed while limiting krb5
> encryption types for user with uid 0
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Failed to create machine
> krb5 context with credentials cache FILE:/tmp/krb5cc_machine_THEORY.P
> HYS.UCL.AC.UK for server oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Machine cache is prematurely
> expired or corrupted trying to recreate cache for server oaxaca.t
> heory.phys.ucl.ac.uk
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Full hostname for
> 'oaxaca.theory.phys.ucl.ac.uk' is 'oaxaca.theory.phys.ucl.ac.uk'
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Full hostname for
> 'burroughs.theory.phys.ucl.ac.uk' is 'burroughs.theory.phys.ucl.ac.uk'
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: No key table entry found for
> [log in to unmask] while getting keyta
> b entry for [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: No key table entry found for
> [log in to unmask] while getting k
> eytab entry for [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: Success getting keytab entry for
> [log in to unmask]
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312383729
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312383729
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: using
> FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK as credentials cache for machine
> creds
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: creating context using fsuid 0
> (save_uid 0)
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: ERROR: GSS-API: error in
> gss_set_allowable_enctypes(): GSS_S_NO_CRED (No credentials were supplied, or
> the credentials were unavailable or inaccessible) - Unknown error
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Failed while limiting krb5
> encryption types for user with uid 0
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Failed to create machine
> krb5 context with credentials cache FILE:/tmp/krb5cc_machine_THEORY.P
> HYS.UCL.AC.UK for server oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: WARNING: Failed to create machine
> krb5 context with any credentials cache for server oaxaca.theory.phys
> .ucl.ac.uk
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: doing error downcall
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c6dd70 data 0x7fff19c6dc40
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c6e2b0 data 0x7fff19c6e180
> Aug  2 16:19:58 burroughs rpc.gssd[3390]: dir_notify_handler: sig 37 si
> 0x7fff19c6e2b0 data 0x7fff19c6e180
>
>
> Downgrading to nfs-utils-1.2.2-7 from rhel 6.0 and restarting rpcgssd I see
> success and the following in /var/log/messages:
>
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handle_gssd_upcall: 'mech=krb5 uid=0
> enctypes=18,17,16,23,3,1,2 '
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: process_krb5_upcall: service is
> '<null>'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Full hostname for
> 'oaxaca.theory.phys.ucl.ac.uk' is 'oaxaca.theory.phys.ucl.ac.uk'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Full hostname for
> 'burroughs.theory.phys.ucl.ac.uk' is 'burroughs.theory.phys.ucl.ac.uk'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: No key table entry found for
> [log in to unmask] while getting keytab
> entry for [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Success getting keytab entry for
> [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Successfully obtained machine
> credentials for principal
> [log in to unmask] stored in ccache
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312385205
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using
> FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK as credentials cache for machine
> creds
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context using fsuid 0
> (save_uid 0)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating tcp client for server
> oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: port already set to 2049
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context with server
> [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: serialize_krb5_ctx: lucid
> version!
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer: protocol
> 1
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer:
> serializing key with enctype 18 and size 32
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: doing downcall
> Aug  2 16:26:45 burroughs kernel: Intel AES-NI instructions are not detected.
> Aug  2 16:26:45 burroughs kernel: padlock: VIA PadLock not detected.
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: destroying client
> /var/lib/nfs/rpc_pipefs/nfs/clntd
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handle_gssd_upcall: 'mech=krb5
> uid=10000 enctypes=18,17,16,23,3,1,2 '
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: process_krb5_upcall: service is
> '<null>'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: getting credentials for client with
> uid 10000 for server oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file
> '/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' being considered, with preferred
> realm 'THEORY.PHYS.UCL.AC.UK'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file
> '/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' owned by 0, not 10000
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file '/tmp/krb5cc_10000_VsfDdR'
> being considered, with preferred realm 'THEORY.PHYS.UCL.AC.UK'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file
> '/tmp/krb5cc_10000_VsfDdR'([log in to unmask]) passed all checks and has
> mtime of 1312298804
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file '/tmp/krb5cc_0' being
> considered, with preferred realm 'THEORY.PHYS.UCL.AC.UK'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: CC file '/tmp/krb5cc_0' owned by 0,
> not 10000
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using FILE:/tmp/krb5cc_10000_VsfDdR
> as credentials cache for client with uid 10000 for server
> oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_10000_VsfDdR
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context using fsuid 10000
> (save_uid 0)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating tcp client for server
> oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: port already set to 2049
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context with server
> [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: serialize_krb5_ctx: lucid
> version!
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer: protocol
> 1
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer:
> serializing key with enctype 18 and size 32
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: doing downcall
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handle_gssd_upcall: 'mech=krb5 uid=0
> service=* enctypes=18,17,16,23,3,1,2 '
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clntc)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: process_krb5_upcall: service is '*'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Full hostname for
> 'oaxaca.theory.phys.ucl.ac.uk' is 'oaxaca.theory.phys.ucl.ac.uk'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Full hostname for
> 'burroughs.theory.phys.ucl.ac.uk' is 'burroughs.theory.phys.ucl.ac.uk'
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: No key table entry found for
> [log in to unmask] while getting keytab
> entry for [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: Success getting keytab entry for
> [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312385205
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK' are good until 1312385205
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using
> FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK as credentials cache for machine
> creds
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: using environment variable to select
> krb5 ccache FILE:/tmp/krb5cc_machine_THEORY.PHYS.UCL.AC.UK
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context using fsuid 0
> (save_uid 0)
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating tcp client for server
> oaxaca.theory.phys.ucl.ac.uk
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: port already set to 2049
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: creating context with server
> [log in to unmask]
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: DEBUG: serialize_krb5_ctx: lucid
> version!
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer: protocol
> 1
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: prepare_krb5_rfc4121_buffer:
> serializing key with enctype 18 and size 32
> Aug  2 16:26:45 burroughs rpc.gssd[4626]: doing downcall


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV