# NFSv4 krb5 and no credentials error

## ismell

Hello,

I'm trying to get NFSv4 to play nice with krb5.

I have krb installed and configured correctly (I think?).

I can do a kinit as root and I get back the following

```

devbox linux # klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: devbox$@AD.ISMELL.ORG

Valid starting     Expires            Service principal

02/03/12 16:12:15  02/04/12 02:12:10  krbtgt/AD.ISMELL.ORG@AD.ISMELL.ORG

        renew until 02/04/12 02:12:15

02/03/12 16:12:13  02/04/12 02:12:10  ldap/oracle.ad.ismell.org@AD.ISMELL.ORG

        renew until 02/04/12 02:12:15

```

I have the following keytab

```

devbox linux # klist -e -k /etc/krb5.keytab

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   2 devbox$@AD.ISMELL.ORG (des-cbc-crc)

   2 devbox$@AD.ISMELL.ORG (des-cbc-md5)

   2 devbox$@AD.ISMELL.ORG (arcfour-hmac)

   2 devbox$@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 devbox$@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

```

The problem happens when i try and mount an nfs share.

I get the following:

```

devbox linux # mount.nfs4 staypuft:/volumes/storage/iso /tmp/iso -o sec=krb5 -vvv

mount.nfs4: timeout set for Fri Feb  3 17:16:10 2012

mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.254,clientaddr=10.0.0.105'

mount.nfs4: mount(2): Permission denied

mount.nfs4: access denied by server while mounting staypuft:/volumes/storage/iso

```

When looking at the logs I see this

```

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c

Feb  3 17:10:16 devbox rpc.gssd[13207]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)

Feb  3 17:10:16 devbox rpc.gssd[13207]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Feb  3 17:10:16 devbox rpc.gssd[13207]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)

Feb  3 17:10:16 devbox rpc.gssd[13207]: process_krb5_upcall: service is '<null>'

Feb  3 17:10:16 devbox rpc.gssd[13207]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'

Feb  3 17:10:16 devbox rpc.gssd[13207]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'

Feb  3 17:10:16 devbox rpc.gssd[13207]: Success getting keytab entry for 'root/devbox.ad.ismell.org@AD.ISMELL.ORG'

Feb  3 17:10:16 devbox rpc.gssd[13207]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'root/devbox.ad.ismell.org@AD.ISMELL.ORG' using keytab 'WRFILE:/etc/krb5.keytab'

Feb  3 17:10:16 devbox rpc.gssd[13207]: ERROR: No credentials found for connection to server staypuft.ad.ismell.org

Feb  3 17:10:16 devbox rpc.gssd[13207]: doing error downcall

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c

Feb  3 17:10:16 devbox rpc.gssd[13207]: dir_notify_handler: sig 37 si 0xbfd429cc data 0xbfd42a4c

Feb  3 17:10:16 devbox rpc.gssd[13207]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt10

```

I don't know why I keep getting a no credentials found error. I don't know how else to debug this. If any one has any idea on how to fix this or just some tips on what else I can be trying that would really help.

Thanks,

Raul

----------

## ismell

So I updated to nfs-utils 1.2.5 and changed my keytab like so.

```
devbox nfs-utils-1.2.3 # klist -e -k /etc/krb5.keytab

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   2 DEVBOX$@AD.ISMELL.ORG (des-cbc-crc)

   2 DEVBOX$@AD.ISMELL.ORG (des-cbc-md5)

   2 DEVBOX$@AD.ISMELL.ORG (arcfour-hmac)

   2 DEVBOX$@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 DEVBOX$@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 host/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 nfs/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 root/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-crc)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (des-cbc-md5)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (arcfour-hmac)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes128-cts-hmac-sha1-96)

   2 HTTP/devbox.ad.ismell.org@AD.ISMELL.ORG (aes256-cts-hmac-sha1-96)

```

* I made the computer name capital.

Now I get this in my logs

```
Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c

Feb  4 12:41:08 devbox rpc.gssd[13014]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15)

Feb  4 12:41:08 devbox rpc.gssd[13014]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Feb  4 12:41:08 devbox rpc.gssd[13014]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15)

Feb  4 12:41:08 devbox rpc.gssd[13014]: process_krb5_upcall: service is '<null>'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Success getting keytab entry for 'DEVBOX$@AD.ISMELL.ORG'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Successfully obtained machine credentials for principal 'DEVBOX$@AD.ISMELL.ORG' stored in ccache 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG'

Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464

Feb  4 12:41:08 devbox rpc.gssd[13014]: using FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG as credentials cache for machine creds

Feb  4 12:41:08 devbox rpc.gssd[13014]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context using fsuid 0 (save_uid 0)

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating tcp client for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: DEBUG: port already set to 2049

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'staypuft.ad.ismell.org' is 'staypuft.ad.ismell.org'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Full hostname for 'devbox.ad.ismell.org' is 'devbox.ad.ismell.org'

Feb  4 12:41:08 devbox rpc.gssd[13014]: Success getting keytab entry for 'DEVBOX$@AD.ISMELL.ORG'

Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464

Feb  4 12:41:08 devbox rpc.gssd[13014]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG' are good until 1328420464

Feb  4 12:41:08 devbox rpc.gssd[13014]: using FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG as credentials cache for machine creds

Feb  4 12:41:08 devbox rpc.gssd[13014]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context using fsuid 0 (save_uid 0)

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating tcp client for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: DEBUG: port already set to 2049

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with any credentials cache for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: doing error downcall

Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c

Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c

Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c

Feb  4 12:41:08 devbox rpc.gssd[13014]: dir_notify_handler: sig 37 si 0xbf9f2cac data 0xbf9f2d2c

Feb  4 12:41:08 devbox rpc.gssd[13014]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt15

```

This being the relevant part

```

Feb  4 12:41:08 devbox rpc.gssd[13014]: creating context with server nfs@staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create krb5 context for user with uid 0 for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.ISMELL.ORG for server staypuft.ad.ismell.org

Feb  4 12:41:08 devbox rpc.gssd[13014]: WARNING: Failed to create machine krb5 context with any credentials cache for server staypuft.ad.ismell.org

```

It says it's creating context with nfs@staypuft.ad.ismell.org. Is that correct ? Shoulen't it be creating a context with nfs/staypuft.ad.ismell.org@AD.ISMELL.ORG ?

Is this a bug in nfs-utils ?

Thanks,

Raul

----------

