# nfs4 kerberos

## nox23

Hello

I don't manage to get nfs4 + kerberos working.

So, does anybody know how to make it works ?

gentoo client nfsv4+kerberos hangs forever :

on client tailf /var/log/messages

```

Feb 24 10:56:01 falbala rpc.gssd[7186]: beginning poll

Feb 24 10:56:12 falbala /etc/init.d/rpc.pipefs[7202]: WARNING: rpc.pipefs has already been started

Feb 24 10:56:18 falbala /etc/init.d/nfsmount[7203]: WARNING: nfsmount has already been started

Feb 24 10:56:22 falbala rpc.gssd[7186]: dir_notify_handler: sig 37 si 0x7fff04fa3bb0 data 0x7fff04fa3a80

Feb 24 10:56:22 falbala rpc.gssd[7186]: dir_notify_handler: sig 37 si 0x7fff04fa3bb0 data 0x7fff04fa3a80

Feb 24 10:56:22 falbala rpc.gssd[7186]: dir_notify_handler: sig 37 si 0x7fff04fa3bb0 data 0x7fff04fa3a80

Feb 24 10:56:22 falbala rpc.gssd[7186]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)

Feb 24 10:56:22 falbala rpc.gssd[7186]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Feb 24 10:56:22 falbala rpc.gssd[7186]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)

Feb 24 10:56:22 falbala rpc.gssd[7186]: process_krb5_upcall: service is '<null>'

Feb 24 10:56:22 falbala rpc.gssd[7186]: Full hostname for 'blanche-neige.noxy.local' is 'blanche-neige.noxy.local'

Feb 24 10:56:22 falbala rpc.gssd[7186]: Full hostname for 'falbala.noxy.local' is 'falbala.noxy.local'

Feb 24 10:56:22 falbala rpc.gssd[7186]: No key table entry found for FALBALA$@NOXY.LOCAL while getting keytab entry for 'FALBALA$@NOXY.LOCAL'

Feb 24 10:56:22 falbala rpc.gssd[7186]: No key table entry found for root/falbala.noxy.local@NOXY.LOCAL while getting keytab entry for 'root/falbala.noxy.local@NOXY.LOCAL'

Feb 24 10:56:22 falbala rpc.gssd[7186]: Success getting keytab entry for 'nfs/falbala.noxy.local@NOXY.LOCAL'

Feb 24 10:56:22 falbala rpc.gssd[7186]: Successfully obtained machine credentials for principal 'nfs/falbala.noxy.local@NOXY.LOCAL' stored in ccache 'FILE:/tmp/krb5cc_machine_NOXY.LOCAL'

Feb 24 10:56:22 falbala rpc.gssd[7186]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_NOXY.LOCAL' are good until 1361735781

Feb 24 10:56:22 falbala rpc.gssd[7186]: using FILE:/tmp/krb5cc_machine_NOXY.LOCAL as credentials cache for machine creds

Feb 24 10:56:22 falbala rpc.gssd[7186]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_NOXY.LOCAL

Feb 24 10:56:22 falbala rpc.gssd[7186]: creating context using fsuid 0 (save_uid 0)

Feb 24 10:56:22 falbala rpc.gssd[7186]: creating tcp client for server blanche-neige.noxy.local

Feb 24 10:56:22 falbala rpc.gssd[7186]: DEBUG: port already set to 2049

Feb 24 10:56:22 falbala rpc.gssd[7186]: creating context with server nfs@blanche-neige.noxy.local

Feb 24 10:56:22 falbala rpc.gssd[7186]: DEBUG: serialize_krb5_ctx: lucid version!

Feb 24 10:56:22 falbala rpc.gssd[7186]: prepare_krb5_rfc4121_buffer: protocol 1

Feb 24 10:56:22 falbala rpc.gssd[7186]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Feb 24 10:56:22 falbala rpc.gssd[7186]: doing downcall

Feb 24 10:56:22 falbala kernel: sha1_ssse3: Using AVX optimized SHA-1 implementation

```

on the server tailf /var/log/daemon/log : 

```

Feb 24 10:53:31 blanche-neige /etc/init.d/nfs[6584]: WARNING: nfs has already been started

Feb 24 10:53:39 blanche-neige /etc/init.d/rpc.idmapd[6585]: WARNING: rpc.idmapd has already been started

Feb 24 10:53:58 blanche-neige /etc/init.d/rpc.svcgssd[6600]: WARNING: rpc.svcgssd has already been started

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: leaving poll

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: handling null request

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: sname = nfs/falbala.noxy.local@NOXY.LOCAL

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: DEBUG: serialize_krb5_ctx: lucid version!

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: prepare_krb5_rfc4121_buffer: protocol 1

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: doing downcall

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1361735781 (35990 from now), clnt: nfs@falbala.noxy.local, uid: -1, gid: -1, num aux grps: 0:

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: sending null reply

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: writing message: \x \x6082027e06092a864886f712010

20201006e82026d30820269a003020105a10302010ea20703050020000

000a38201706182016c30820168a003020105a10c1b0a4e4f58592e4c4f43414ca22a3028a003020103a1213

01f1b036e66731b18626c616e6368652d6e656967652e6e6f78792e6c6f63616ca382012530820121a003020

112a103020102a28201130482010fb7f3663f467fd78e1615577a887dacf05e4761262318575a768e63bbe43

b0f6b1b81f58ccf1ab185800c64626d14a4cfe120c3b5397e92df11b5a098b74c03501a2d056b3ef7c2cbaf9736

166780e8ced5a597e4b41ddaddba4c203fa6286ce6b72065cd2edee3d68c7760e8adc36179042794b60cd9a

4ef0fb91ce548914f3c8fe55269e7facc4b573b54b4d49545bea52457d15761bdbe78486b9f8f0382285c662c1

961a9f8df8bafce8d891fb778a6c1a70e57f85dfb5311d1fff0aeff4fa720a3474657f3d8c51753ad42dabd908a5

d4bceb12ea33e59144668427e62be989d7e89c365389d8a9c53f3164365a24c1ab5323f890bc291494a7a13

8194da86aedb4bdb4e0a4a7b537c6e093503a481df3081dca003020112a281d40481d19ac57d4506620a4cf

f4ffc3466bc3297095faaa9b8e0b05f62ceee6f1c77beaeff24388f95ddef31977c9aaa26422aab9ab0f0555ccca3

370ea7a2ef62729c17fb4f58d01c66a16bfc0e0f056edfadfc1fa4c6cbad886dd051079f25143aca7f41b2c2b539

c1629bac53c78ee6fa29a591be74ee7712bbacf628a8382818afeb8113d58bb78cccc509fd2952f74e06679c3f

c6055285a2a248c783d4b32e60ba9f0a14882f102238daf3d22643247cd552aaed0714ba097ff67b8aafdca98

4094187f88cef7f24421677ae25c2390c7c86 1361699851 0 0 \x02000000 \x60819906092a864886f7120102

0202006f8189308186a003020105a10302010fa27a3078a003020112a271046fa2992f173f2c5f89f6d58d2e2b

7433795124c7702e64d9b67c06e94388db5333f69998207a127217f17e3d7a994741f22be2bfd34293ad1f811

440aa10a8b94f98cebb765daeeb8af2977ee253f3f872cb6123d203b15eed665d1f63a1dcd9ee2ec9bd3af5f5ae

3cca3cc21b336d61 

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: finished handling null request

Feb 24 10:56:31 blanche-neige rpc.svcgssd[2672]: entering poll

```

the command :

```

10:56 root@falbala ~# mount -vvv -t nfs4 -o sec=krb5 blanche-neige.noxy.local:/  /home_nfsv4

mount: fstab path: "/etc/fstab"

mount: mtab path:  "/etc/mtab"

mount: lock path:  "/etc/mtab~"

mount: temp path:  "/etc/mtab.tmp"

mount: UID:        0

mount: eUID:       0

mount: spec:  "blanche-neige.noxy.local:/"

mount: node:  "/home_nfsv4"

mount: types: "nfs4"

mount: opts:  "sec=krb5"

mount: external mount: argv[0] = "/sbin/mount.nfs4"

mount: external mount: argv[1] = "blanche-neige.noxy.local:/"

mount: external mount: argv[2] = "/home_nfsv4"

mount: external mount: argv[3] = "-v"

mount: external mount: argv[4] = "-o"

mount: external mount: argv[5] = "rw,sec=krb5"

mount.nfs4: timeout set for Sun Feb 24 10:58:22 2013

mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.0.1,clientaddr=192.168.0.51'

```

hangs forever

nfs4 without kerberos is working

kerberos working getting ticket 

rpcsec_gss_krb5 module is loaded : 

my krb5.conf

```

[libdefaults]

        default_realm = NOXY.LOCAL

        forwardable = true

        renew_lifetime = 3days

        allow_weak_crypto = true

[realms]

# use "kdc = ..." if realm admins haven't put SRV records into DNS

        NOXY.LOCAL = {

                kdc = gavroche.noxy.local

                admin_server = gavroche.noxy.local

        }

[domain_realm]

        .noxy.local = NOXY.LOCAL

        noxy.local = NOXY.LOCAL

[logging]

       kdc = CONSOLE

```

SERVER

```

root@blanche-neige /home/backup# ktutil      

ktutil:  rkt /etc/krb5.keytab 

ktutil:  list -e

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

   1    2  nfs/blanche-neige.noxy.local@NOXY.LOCAL (des-cbc-crc) 

```

CLIENT

```

root@falbala ~# ktutil  

ktutil:  rkt /etc/krb5.keytab 

ktutil:  list -e

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

   1    2        nfs/falbala.noxy.local@NOXY.LOCAL (des-cbc-crc) 

ktutil: 

```

Any advice ?

----------

## nox23

the solution was to downgrade to "net-fs/nfs-utils-1.2.5"

ALL works great now.

I filed a bug here : https://bugs.gentoo.org/show_bug.cgi?id=460308

----------

