Your message dated Sat, 19 Mar 2022 17:24:42 +0100 with message-id <93ee5784bd1d011076afb131ce217f334acf2344.camel@decadent.org.uk> and subject line Re: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping has caused the Debian Bug report #521878, regarding nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 521878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521878 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
- From: Markus Schulz <msc@antzsystem.de>
- Date: Mon, 30 Mar 2009 19:41:39 +0200
- Message-id: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>
Package: nfs-kernel-server Version: 1:1.1.4-1 Severity: important it's impossible to mount a nfs4 share with kerberos5 security on current sid systems. the problem looks like from here:(full log below) Mar 30 19:26:55 gythtv rpc.svcgssd[g379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument i have found some hints that this problem comes from libnfsidmap2 with google. (http://linux-nfs.org/pipermail/nfsv4/2008-October/009399.html). But the sid version seems to be really old. i hope this will help to find the bug. test setup: krb5-kdc, nfs-server and client on same machine (for first testing purpose) MYREALM.LOCAL and mydomain.local are equal in my test setup. /etc/krb5.conf ######################################>% [libdefaults] default_realm = MYREALM.LOCAL # dns_lookup_realm = true # dns_lookup_kdc = false [realms] MYREALM.LOCAL = { kdc = mythtv.mydomain.local admin_server = mythtv.mydomain.local default_domain = mydomain.local } [domain_realm] .mydomain.local = MYREALM.LOCAL %<##################################### mythtv:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 nfs/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) 3 root/mythtv.19.ros.03046.com@19.ROS.03046.COM (DES cbc mode with CRC-32) /etc/exports: /data gss/krb5p(rw,async,no_subtree_check,nohide,crossmnt) / gss/krb5p(fsid=0,rw,async,no_subtree_check,nohide,crossmnt) mythtv:~# egrep -v "^#|^$" /etc/default/nfs-* /etc/default/nfs-common:NEED_STATD= /etc/default/nfs-common:STATDOPTS= /etc/default/nfs-common:NEED_IDMAPD=yes /etc/default/nfs-common:NEED_GSSD=yes /etc/default/nfs-common:RPCGSSDOPTS="-vvv -rrr" /etc/default/nfs-kernel-server:RPCNFSDCOUNT=8 /etc/default/nfs-kernel-server:RPCNFSDPRIORITY=0 /etc/default/nfs-kernel-server:RPCMOUNTDOPTS=--manage-gids /etc/default/nfs-kernel-server:NEED_SVCGSSD=yes /etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvv -rrr" mythtv:~# mount -t nfs4 -o sec=krb5 mythtv:/data /mnt/ mount.nfs4: access denied by server while mounting mythtv:/data log messages from daemon.log... Mar 30 19:26:55 mythtv rpc.idmapd[2424]: New client: 52 Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap Mar 30 19:26:55 mythtv rpc.gssd[2428]: handling krb5 upcall Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' Mar 30 19:26:55 mythtv rpc.gssd[2428]: Full hostname for 'mythtv.mydomain.local' is 'mythtv.mydomain.local' Mar 30 19:26:55 mythtv rpc.gssd[2428]: Success getting keytab entry for 'root/mythtv.mydomain.local@' Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 Mar 30 19:26:55 mythtv rpc.gssd[2428]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYREALM.LOCAL' are good until 1238469941 Mar 30 19:26:55 mythtv rpc.gssd[2428]: using FILE:/tmp/krb5cc_machine_MYREALM.LOCAL as credentials cache for machine creds Mar 30 19:26:55 mythtv rpc.gssd[2428]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context using fsuid 0 (save_uid 0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating tcp client for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: creating context with server nfs@mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create_default() Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_create() Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: name is 0x9691488 Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create: gd->name is 0x96937a8 Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_refresh() Mar 30 19:26:55 mythtv rpc.gssd[2428]: struct rpc_gss_sec: Mar 30 19:26:55 mythtv rpc.gssd[2428]: mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } Mar 30 19:26:55 mythtv rpc.gssd[2428]: qop: 0 Mar 30 19:26:55 mythtv rpc.gssd[2428]: service: 1 Mar 30 19:26:55 mythtv rpc.gssd[2428]: cred: 0x9690fc0 Mar 30 19:26:55 mythtv rpc.gssd[2428]: req_flags: 00000002 Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_marshal() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_wrap() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: encode success (0x96954a8:531) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_args: encode success (token 0x96954a8:531) Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: leaving poll Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: handling null request Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sname = root/mythtv.mydomain.local@MYREALM.LOCAL Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: WARNING: get_ids: failed to map name 'root/mythtv.mydomain.local@MYREALM.LOCAL' to uid/gid: Invalid argument Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: sending null reply Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: writing message: \x \x6082020f06092a864886f71201020201006e8201fe308201faa003020105a10302010ea20703050020000000a382011a6182011630820112a003020105a1121b1031392e524f532e30333034362e434f4da2293027a003020103a120301e1b036e66731b176d79746874762e31392e726f732e30333034362e636f6da381cb3081c8a003020101a103020103a281bb0481b81a971ef1edc2959e16fd293873f5f66996f2097dcb24c9607da681d97d303212dc795a7b83f6e940fcba01bd880f6122d8c12e8b2dc66bd7422cca4fc2dcb5430b77ff6f6aae6538ab9dcbbd0046d70d56e4b7b6e82fcec3775045ec3d57626e1de763c34a7a199ea4924135a3621e51754df43cd8295c8668915f400a2669261a3897687b034a486e2ebdff436d6ca07552c82bd0d041f103a8335c1aa639a23353d1e318f92c3bac7d0d3f56ee0d1e2003ba1802101471a481c63081c3a003020101a281bb0481b8dacfc9d21bb6b40a98959c904253bc9c0f5dd7c36f5cec5b855719625855189bfeb47d2ccc42d5560ce3990a20cd5ae54fd2199ef6ea1f77243c58f5e4542f115969daec4a05ae4a475c51e454b551a375388da0824110367b0dc053b2dd582fcf97e935a66d2eee58df890561c601d5c527a3de2b0aa26e7449576eee04759129e73f03115 Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: finished handling null request Mar 30 19:26:55 mythtv rpc.svcgssd[2379]: entering poll Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_validate() Mar 30 19:26:55 mythtv rpc.gssd[2428]: in authgss_unwrap() Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_buf: decode success ((nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: xdr_rpc_gss_init_res decode success (ctx (nil):0, maj 131072, min 0, win 128, token (nil):0) Mar 30 19:26:55 mythtv rpc.gssd[2428]: authgss_create_default: freeing name 0x9691488 Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYREALM.LOCAL for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mythtv.mydomain.local Mar 30 19:26:55 mythtv rpc.gssd[2428]: doing error downcall Mar 30 19:26:55 mythtv rpc.gssd[2428]: Failed to write error downcall! Mar 30 19:26:55 mythtv rpc.idmapd[2424]: Stale client: 52 Mar 30 19:26:55 mythtv rpc.idmapd[2424]: ^I-> closed /var/lib/nfs/rpc_pipefs/nfs/clnt52/idmap Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt53 Mar 30 19:26:55 mythtv rpc.gssd[2428]: destroying client clnt52 msc -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.28.7-nias (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nfs-kernel-server depends on: ii libblkid1 1.41.3-1 block device id library ii libc6 2.9-6 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libgssglue1 0.1-2 mechanism-switch gssapi library ii libkrb53 1.6.dfsg.4~beta1-12 Transitional library package/krb4 ii libnfsidmap2 0.21-2 An nfs idmapping library ii librpcsecgss3 0.18-1 allows secure rpc communication us ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip ii nfs-common 1:1.1.4-1 NFS support files common to client ii ucf 3.0018 Update Configuration File: preserv nfs-kernel-server recommends no packages. nfs-kernel-server suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 521878-done@bugs.debian.org
- Subject: Re: nfs-kernel-server: nfs4 mount with sec=krb5 not working cause bad uid mapping
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Sat, 19 Mar 2022 17:24:42 +0100
- Message-id: <93ee5784bd1d011076afb131ce217f334acf2344.camel@decadent.org.uk>
- In-reply-to: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>
- References: <20090330174139.30348.63724.reportbug@mythtv.19.ros.03046.com>
Closing this due to lack of response. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard BrandweinAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---