From owner-freebsd-stable@FreeBSD.ORG Tue Feb 19 00:00:23 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 92C5D495 for ; Tue, 19 Feb 2013 00:00:23 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 5D1BDE94 for ; Tue, 19 Feb 2013 00:00:22 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqEEAFO/IlGDaFvO/2dsb2JhbABEhkm5W4Ebc4IfAQEBBAEBASArIAsbGAICDRkCKQEJJgYIBwQBHASHcQyueJI2gSOMSgqBAzQHgi2BEwOIZ4sNgjiBHY87gyVPgQU1 X-IronPort-AV: E=Sophos;i="4.84,691,1355115600"; d="scan'208";a="17185109" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 18 Feb 2013 19:00:15 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id DC6EBB3F0B; Mon, 18 Feb 2013 19:00:15 -0500 (EST) Date: Mon, 18 Feb 2013 19:00:15 -0500 (EST) From: Rick Macklem To: Janusz Bulik Message-ID: <2118116375.3103200.1361232015868.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: Subject: Re: NFSv4 + Kerberos permission denied MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 00:00:23 -0000 Janusz Bulik wrote: > Hello, > I've got a little problem with NFSv4 + Kerberos. I can do a mount with > Kerberos with a valid ticket, but read-only. > After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/ > I can see: > > #klist: > Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain > > #/var/heimdal/kdc.log: > 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23 > for nfs/nfsserver@my.domain > > tcpdump: > 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec: > 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011: > > I got "Permission denied" message when I try to mkdir or rm. As a root > mount and as a user mount (sysctl vfs.usermounts=1). > With -sec=sys it works read-write, but with -sec=krb5 read-only.. > > my /etc/exports: > V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 > /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 -maproot=root -alldirs > > tried with V4: / .... as well. > Added all the principals needed. > Tried also with full qualified domain names. > SSH works fine with Kerberos > > > Do I need rpcsec_gss.patch? (according to > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup) > or can I make it work somehow else? > > I used FreeBSD-9.1-RELEASE-i386-disc1 > and > FreeBSD-10.0-CURRENT-i386-20130202-r246254-release > Thanks to Elias's hard work, a bug/fix for a Kerberos function has been identified that can make the gssd fail to map a principal to a uid. (I haven't run into this bug, so I don't know what systems are affected.) See this thread: http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw I'd suggest you apply the patch (increasing the size of buf to 1024) and then try testing with libraries built with this patch applied. Good luck with it, rick > -- > Greets > Janusz > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"