Unable to mount nfs with gss/krb5 "ERR 20: Auth Bogus Credentials"

intmail01 · 04-28-2015, 02:16 AM

Hello,

I configure my own nfs server with kerberos5 under linux 3.16.3/Slackware 14. After minutes of attempting to mount, "mount" command failed and stoped. Could sone tell me what is wrong because mounting without gss/krb5 works well.

Command :

mount -t nfs -o vers=4,sec=krb5 server.darkstar.net:/ /mnt/nfs -vvv

mount command shows many times lines bellow then stops:

Code:

mount.nfs: text-based options: 'vers=4,sec=krb5,addr=10.0.0.1'
mount.nfs: text-based options: 'vers=4,sec=krb5,addr=10.0.0.1'

. .

On the server side there are two things I detected abnormal:

1- Tcpdump shows an error coming from the server:

Code:

11:51:58.513697 IP server.darkstar.net.nfs > client.darkstar.net.3131002044: reply ERR 20: Auth Bogus Credentials

2- I tried to debug rpc.mountd by command "rpc.mountd -F -d all" and it shows at start:

Code:

rpc.mountd: Failed to unregister program 100005, version 1
rpc.mountd: Failed to unregister program 100005, version 2
rpc.mountd: Failed to unregister program 100005, version 3
rpc.mountd: Version 1.2.8 starting

After launching the mount command on the client, the debug on the server shows:

Code:

rpc.mountd: auth_unix_ip: inbuf 'nfsd 10.0.0.2'
rpc.mountd: auth_unix_ip: client (nil) 'DEFAULT'

On the client before mounting, I get the ticket nfs/client.darkstar.net as key to access the server.

On the server "pmap_dump" (rpcinfo is no longer provided by slackware) shows

Code:

100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp  32765  status
100024    1   tcp  32765  status
100003    4   tcp   2049  nfs
100003    4   udp   2049  nfs
100005    1   udp  32767  mountd
100005    1   tcp  32767  mountd
100005    2   udp  32767  mountd
100005    2   tcp  32767  mountd
100005    3   udp  32767  mountd
100005    3   tcp  32767  mountd

Thank you

intmail01 · 04-28-2015, 07:31 AM

After checking all the systems, I found that ptoblems are not specefically due to gss/krb5.
Even if I disable securisation the mount command fails and rpc.mountd shows the error mentioned above.
Dont pay attention to the title of the thread, it must be modified. Sorry.

Command without securisation:

Code:

mount -t nfs -o vers=4 server.darkstar.net:/ /mnt/nfs -vvv

The file /etc/exportfs:

Code:

/data 10.0.0.*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)

On the client the /var/log/syslog contains lines:

Code:

Apr 28 15:25:35 darkstar last message repeated 22 times
Apr 28 15:25:35 darkstar rpc.idmapd[427]: New client: 35
Apr 28 15:25:35 darkstar rpc.idmapd[427]: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt35/idmap
Apr 28 15:25:37 darkstar kernel:  00 00 00 00 00 00
Apr 28 15:25:38 darkstar rpc.idmapd[427]: Stale client: 35
Apr 28 15:25:38 darkstar rpc.idmapd[427]: ^I-> closed /var/lib/nfs/rpc_pipefs//nfs/clnt35/idmap
Apr 28 15:25:39 darkstar kernel:  00 00 00 00 00 00
Apr 28 15:25:39 darkstar rpc.idmapd[427]: New client: 37
Apr 28 15:25:39 darkstar rpc.idmapd[427]: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt37/idmap
Apr 28 15:25:39 darkstar rpc.idmapd[427]: Stale client: 37
Apr 28 15:25:39 darkstar rpc.idmapd[427]: ^I-> closed /var/lib/nfs/rpc_pipefs//nfs/clnt37/idmap
Apr 28 15:25:41 darkstar kernel:  00 00 00 00 00 00

intmail01 · 04-28-2015, 09:21 AM

I think there are bug somewhere. Server cannot resolv 10.0.0.*
I reset it to client.darkstar.net then the client machine can now mount *without* the gss/krb5 securisation.
*** Finally, problem with gsss/krb5 remains unsolved. **

Code:

bad exportation in /etc/exports => /data 10.0.0.*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
good exportation in /etc/exports => /data client.darkstar.net(rw,fsid=0,insecure,no_root_squash,no_subtree_check)