Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Feb 2013 19:00:15 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Janusz Bulik <januszbulik@googlemail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: NFSv4 + Kerberos permission denied
Message-ID:  <2118116375.3103200.1361232015868.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Janusz Bulik wrote:
> Hello,
> I've got a little problem with NFSv4 + Kerberos. I can do a mount with
> Kerberos with a valid ticket, but read-only.
> After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/
> I can see:
> 
> #klist:
> Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain
> 
> #/var/heimdal/kdc.log:
> 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23
> for nfs/nfsserver@my.domain
> 
> tcpdump:
> 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec:
> 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011:
> 
> I got "Permission denied" message when I try to mkdir or rm. As a root
> mount and as a user mount (sysctl vfs.usermounts=1).
> With -sec=sys it works read-write, but with -sec=krb5 read-only..
> 
> my /etc/exports:
> V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask
> 255.255.255.0
> /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask
> 255.255.255.0 -maproot=root -alldirs
> 
> tried with V4: / .... as well.
> Added all the principals needed.
> Tried also with full qualified domain names.
> SSH works fine with Kerberos
> 
> 
> Do I need rpcsec_gss.patch? (according to
> http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup)
> or can I make it work somehow else?
> 
> I used FreeBSD-9.1-RELEASE-i386-disc1
> and
> FreeBSD-10.0-CURRENT-i386-20130202-r246254-release
> 
Thanks to Elias's hard work, a bug/fix for a Kerberos function has
been identified that can make the gssd fail to map a principal to
a uid. (I haven't run into this bug, so I don't know what systems
are affected.)

See this thread:
http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw

I'd suggest you apply the patch (increasing the size of buf to 1024)
and then try testing with libraries built with this patch applied.

Good luck with it, rick

> --
> Greets
> Janusz
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2118116375.3103200.1361232015868.JavaMail.root>