Bug#521878: marked as done (nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping)

To: Ben Hutchings <ben@decadent.org.uk>
Subject: Bug#521878: marked as done (nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 19 Mar 2022 16:27:04 +0000
Message-id: <[🔎] handler.521878.D521878.16477070857522.ackdone@bugs.debian.org>
Reply-to: 521878@bugs.debian.org
References: <93ee5784bd1d011076afb131ce217f334acf2344.camel@decadent.org.uk> <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>

Your message dated Sat, 19 Mar 2022 17:24:42 +0100
with message-id <93ee5784bd1d011076afb131ce217f334acf2344.camel@decadent.org.uk>
and subject line Re: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
has caused the Debian Bug report #521878,
regarding nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
521878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521878
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
From: Markus Schulz <msc@antzsystem.de>
Date: Mon, 30 Mar 2009 19:41:39 +0200
Message-id: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>

Package: nfs-kernel-server
Version: 1:1.1.4-1
Severity: important

it's impossible to mount a nfs4 share with kerberos5 security on current sid systems.
the problem looks like from here:(full log below)
Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument 

i have found some hints that this problem comes from libnfsidmap2 with google. (http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid version seems to be really old.
i hope this will help to find the bug.

test setup:
krb5-kdc, nfs-server and client on same machine (for first testing
    purpose)

MYREALM.LOCAL and mydomain.local are equal in my test setup.

/etc/krb5.conf 
######################################>%
[libdefaults]
          default_realm = MYREALM.LOCAL
#       dns_lookup_realm = true
#       dns_lookup_kdc = false
[realms]
          MYREALM.LOCAL = {
                    kdc = mythtv.mydomain.local
                      admin_server = mythtv.mydomain.local
                      default_domain = mydomain.local
              }
[domain_realm]
     .mydomain.local = MYREALM.LOCAL
%<#####################################

mythtv:~# klist -e -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) 
   3 root/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) 

/etc/exports:
/data       gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt)
/           gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt) 


mythtv:~# egrep -v "^#|^$" /etc/default/nfs-* 
/etc/default/nfs-common:NEED_STATD=
/etc/default/nfs-common:STATDOPTS=
/etc/default/nfs-common:NEED_IDMAPD=yes
/etc/default/nfs-common:NEED_GSSD=yes
/etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr"
/etc/default/nfs-kernel-server:RPCNFSDCOUNT=8
/etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0
/etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids
/etc/default/nfs-kernel-server:NEED_SVCGSSD=yes
/etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr"


mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/
mount.nfs4: access denied by server while mounting mythtv:/data


log messages from daemon.log...

Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for 'root/mythtv.mydomain.local@' 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid 0) 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server nfs@mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec: 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      qop: 0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      service: 1 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      cred: 0x9690fc0 
Mar 30 19:26:55 mythtv rpc.gssd[2428]:      req_flags: 00000002 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success (0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success (token 0x96954a8:531)
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname = root/mythtv.mydomain.local@MYREALM.LOCAL 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x \x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request 
Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap()
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx (nil):0, maj 131072, min 0, win 128, token (nil):0)
Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name 0x9691488
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mythtv.mydomain.local 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall! 
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52
Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53 
Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52 


msc

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1            1.41.3-1            block device id library
ii  libc6                2.9-6               GNU C Library: Shared libraries
ii  libcomerr2           1.41.3-1            common error description library
ii  libgssglue1          0.1-2               mechanism-switch gssapi library
ii  libkrb53             1.6.dfsg.4~beta1-12 Transitional library package/krb4 
ii  libnfsidmap2         0.21-2              An nfs idmapping library
ii  librpcsecgss3        0.18-1              allows secure rpc communication us
ii  libwrap0             7.6.q-16            Wietse Venema's TCP wrappers libra
ii  lsb-base             3.2-22              Linux Standard Base 3.2 init scrip
ii  nfs-common           1:1.1.4-1           NFS support files common to client
ii  ucf                  3.0018              Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 521878-done@bugs.debian.org

Subject: Re: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping

From: Ben Hutchings <ben@decadent.org.uk>

Date: Sat, 19 Mar 2022 17:24:42 +0100

Message-id: <93ee5784bd1d011076afb131ce217f334acf2344.camel@decadent.org.uk>

In-reply-to: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>

References: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>
Closing this due to lack of response.

Ben.

-- 
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein
Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

Reply to:

Prev by Date: Processed: tagging 446238 ...
Next by Date: Bug#522926: marked as done (client cannot write to new files on server, only edit/delete/create)
Previous by thread: Processed: tagging 446238 ...
Next by thread: Bug#522926: marked as done (client cannot write to new files on server, only edit/delete/create)
Index(es):
- Date
- Thread