Re: gssd-agent: Minor error <1> Unknown Error Code: 19777
Re: gssd-agent: Minor error <1> Unknown Error Code: 19777
- Subject: Re: gssd-agent: Minor error <1> Unknown Error Code: 19777
- From: Rick Macklem <email@hidden>
- Date: Wed, 6 Feb 2008 20:05:50 -0500 (EST)
On Wed, 6 Feb 2008, Terry Lambert wrote:
On Feb 6, 2008, at 2:13 AM, Roger Herikstad wrote:
Hi list,
I'm running a cluster of Mac's with kerberized nfs, and I keep
getting this rather cryptic error message in my log:
Feb 6 17:31:52 work03 gssd-agent[227]: Error returned by
svc_mach_gss_init_sec_context:
Feb 6 17:31:52 work03 gssd-agent[227]: Major error <1> Unspecified
GSS failure. Minor code may provide more information
Feb 6 17:31:52 work03 gssd-agent[227]: Minor error <1> Unknown
Error
Code: 19777
Feb 6 17:31:52 work03 gssd-agent[227]: nfs client Kerberos:
head.neuralc:/Volumes/Xraid/XUsers, uid=501 - Unknown Error Code:
19777
We are running SGE (sun grid engine), and the above error prevents us
from writing to nfs directories. So far, our solution is to reboot the
machine.
I'm wondering if anyone has had similar experiences, and if anyone
knows what error code 19777 actually means?
Here's an answer from the maintainer:
There's a known bug that prevents the message from being printed, but
error code 19777 is a kerberos library error that actually corresponds to
the text:
"Can't display user interface from this environment".
The message implies that the kerberos library attempted to pop up a
window to obtain a kerberos login because you're lacking a ticket.
You'll normally get a kerberos ticket when you log in through the
loginwindow
or the screen saver.
You get the message if you try to access a kerberized
NFS mount without a kerberos ticket - in this case it was user 501 - which
looks like a local UID - not a network one.
In good old nfs, a local uid is all there is. (From playing with the gssd
doing upcalls from my client, the uid argument in the upcall doesn't seem
to much matter, anyhow.) I think the error is generated when the process
trying the NFS operation is somehow not associated with the
gssd/credential cache that has the correct TGT. (I believe Quinn's answer
sounds like a good explanation of that.) I know that I can get that error
to occur by doing an upcall for uid==502 when the user with uid==502 has
a valid TGT (whereas other upcalls for uid==502 work fine).
So, just seeing a valid TGT isn't enough. Don't know if this helps or just
adds to the confusion? rick
ps: Of course, if you don't have a valid TGT for uid==501, then nothing
is going to work. Leopard expects user credentials and doesn't use
host based principals like (root/client.domain@REALM) in a keytab
file, as far as I understand it. (Solaris will use
root/client.dns.domain@REALM for root accesses, if that exists in the
client machine's keytab file.)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden