site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Wed, 6 Feb 2008, Terry Lambert wrote: Hi list, I'm running a cluster of Mac's with kerberized nfs, and I keep getting this rather cryptic error message in my log: We are running SGE (sun grid engine), and the above error prevents us from writing to nfs directories. So far, our solution is to reboot the machine. I'm wondering if anyone has had similar experiences, and if anyone knows what error code 19777 actually means? Here's an answer from the maintainer: You get the message if you try to access a kerberized NFS mount without a kerberos ticket - in this case it was user 501 - which looks like a local UID - not a network one. So, just seeing a valid TGT isn't enough. Don't know if this helps or just adds to the confusion? rick ps: Of course, if you don't have a valid TGT for uid==501, then nothing is going to work. Leopard expects user credentials and doesn't use host based principals like (root/client.domain@REALM) in a keytab file, as far as I understand it. (Solaris will use root/client.dns.domain@REALM for root accesses, if that exists in the client machine's keytab file.) _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Feb 6, 2008, at 2:13 AM, Roger Herikstad wrote: Feb 6 17:31:52 work03 gssd-agent[227]: Error returned by svc_mach_gss_init_sec_context: Feb 6 17:31:52 work03 gssd-agent[227]: Major error <1> Unspecified GSS failure. Minor code may provide more information Feb 6 17:31:52 work03 gssd-agent[227]: Minor error <1> Unknown Error Code: 19777 Feb 6 17:31:52 work03 gssd-agent[227]: nfs client Kerberos: head.neuralc:/Volumes/Xraid/XUsers, uid=501 - Unknown Error Code: 19777 There's a known bug that prevents the message from being printed, but error code 19777 is a kerberos library error that actually corresponds to the text: "Can't display user interface from this environment". The message implies that the kerberos library attempted to pop up a window to obtain a kerberos login because you're lacking a ticket. You'll normally get a kerberos ticket when you log in through the loginwindow or the screen saver. In good old nfs, a local uid is all there is. (From playing with the gssd doing upcalls from my client, the uid argument in the upcall doesn't seem to much matter, anyhow.) I think the error is generated when the process trying the NFS operation is somehow not associated with the gssd/credential cache that has the correct TGT. (I believe Quinn's answer sounds like a good explanation of that.) I know that I can get that error to occur by doing an upcall for uid==502 when the user with uid==502 has a valid TGT (whereas other upcalls for uid==502 work fine). This email sent to site_archiver@lists.apple.com