Date: Mon, 18 Feb 2013 19:00:15 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Janusz Bulik <januszbulik@googlemail.com> Cc: freebsd-stable@freebsd.org Subject: Re: NFSv4 + Kerberos permission denied Message-ID: <2118116375.3103200.1361232015868.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Janusz Bulik wrote: > Hello, > I've got a little problem with NFSv4 + Kerberos. I can do a mount with > Kerberos with a valid ticket, but read-only. > After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/ > I can see: > > #klist: > Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain > > #/var/heimdal/kdc.log: > 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23 > for nfs/nfsserver@my.domain > > tcpdump: > 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec: > 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011: > > I got "Permission denied" message when I try to mkdir or rm. As a root > mount and as a user mount (sysctl vfs.usermounts=1). > With -sec=sys it works read-write, but with -sec=krb5 read-only.. > > my /etc/exports: > V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 > /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 -maproot=root -alldirs > > tried with V4: / .... as well. > Added all the principals needed. > Tried also with full qualified domain names. > SSH works fine with Kerberos > > > Do I need rpcsec_gss.patch? (according to > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup) > or can I make it work somehow else? > > I used FreeBSD-9.1-RELEASE-i386-disc1 > and > FreeBSD-10.0-CURRENT-i386-20130202-r246254-release > Thanks to Elias's hard work, a bug/fix for a Kerberos function has been identified that can make the gssd fail to map a principal to a uid. (I haven't run into this bug, so I don't know what systems are affected.) See this thread: http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw I'd suggest you apply the patch (increasing the size of buf to 1024) and then try testing with libraries built with this patch applied. Good luck with it, rick > -- > Greets > Janusz > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2118116375.3103200.1361232015868.JavaMail.root>