Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Feb 2015 14:31:58 -0500 (EST)
From:      Benjamin Kaduk <kaduk@MIT.EDU>
To:        Sascha Frey <sf@techfak.net>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box
Message-ID:  <alpine.GSO.1.10.1502101430460.3953@multics.mit.edu>
In-Reply-To: <20150210080053.GA20995@TechFak.Uni-Bielefeld.DE>
References:  <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE> <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> <20150210080053.GA20995@TechFak.Uni-Bielefeld.DE>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Feb 2015, Sascha Frey wrote:

> Rick Macklem wrote:
>
> [...]
> >> I found only one error message in /var/log/messages:
> >> nfsd: can't register svc name
> >>
> >Well, this message indicates it isn't going to work.
> >(This message means the nfsd couldn't register with the gssd daemon,
> > so kerberized NFS won't work.) It is generated when the nfsd is
> >started.
> >
> >The most common cause would be the gssd daemon not running when the
> >nfsd daemon is started. If the gssd was running when the nfsd was started
> >and this message is logged, there is a debug option on gssd that makes
> >it chatty and that might indicate why it is failing.
>
> gssd was running before nfsd was started.
> This message does not appear if nfsd starts without gssd running,
> but it does appear as soon as gssd is started (if nfsd is already running).
>
> I started gssd in foreground mode (via gssd -d -v)
> These messages appear when I start nfsd:
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0

0x70000 is GSS_S_NO_CRED.

Maybe you could truss or similar to find out what name it's trying to
acquire credentials for?

-Ben

> No log output when trying to mount NFS share on the Linux machine.
>
>
> I tried to mount it on the server itself. I'm able
> to mount, but I can't access any files...
>
> [root@leonard ~]# mount -o sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> [root@leonard ~]# su - sfrey
> [sfrey@leonard ~]$ kinit
> sfrey@TECHFAK.UNI-BIELEFELD.DE's Password:
> [sfrey@leonard ~]$ ls -lad /mnt
> ls: /mnt: Permission denied
> [sfrey@leonard ~]$ klist
> Credentials cache: FILE:/tmp/krb5cc_21036
>         Principal: sfrey@TECHFAK.UNI-BIELEFELD.DE
>
>   Issued                Expires               Principal
> Feb 10 08:54:31 2015  Feb 10 18:54:39 2015  krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE
> Feb 10 08:54:36 2015  Feb 10 18:54:39 2015  nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>
> >
> >Also, there is this wiki. It is somewhat out of date, but I don't think
> >anything has changed w.r.t. the server side. (I'm not sure what the
> >current status is w.r.t. keytab entries encrypted in newer ways than
> >des-cbc-crc is.)
> >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
>
> I'll take a look into it. Maybe I missed something.
>
>
>
>
> Cheers,
> Sascha
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1502101430460.3953>