From owner-freebsd-fs@FreeBSD.ORG Tue Feb 10 19:32:09 2015 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 983A4319 for ; Tue, 10 Feb 2015 19:32:09 +0000 (UTC) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E604B9B for ; Tue, 10 Feb 2015 19:32:08 +0000 (UTC) X-AuditID: 1209190f-f79546d000007593-a3-54da5cb16e4b Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id BE.94.30099.1BC5AD45; Tue, 10 Feb 2015 14:32:01 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t1AJW0PS016686; Tue, 10 Feb 2015 14:32:01 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1AJVwCG012222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 10 Feb 2015 14:32:00 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t1AJVw3K000970; Tue, 10 Feb 2015 14:31:58 -0500 (EST) Date: Tue, 10 Feb 2015 14:31:58 -0500 (EST) From: Benjamin Kaduk To: Sascha Frey Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box In-Reply-To: <20150210080053.GA20995@TechFak.Uni-Bielefeld.DE> Message-ID: References: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE> <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> <20150210080053.GA20995@TechFak.Uni-Bielefeld.DE> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6norsx5laIwdwOKYtjj3+yWWxtO8Tm wOQx49N8Fo8JB16xBTBFcdmkpOZklqUW6dslcGXM2lJSsFq84t783WwNjO+Fuhg5OSQETCRW rNnKBmGLSVy4tx7I5uIQEljMJPFvajMThLORUWL66hnsEM4hJol1jZ9ZIJwGRonHnycxdzFy cLAIaEvcP+oNMopNQEVi5puNYGNFBBQkTl1ZxwhSwiwgJXFnbQVIWFggSOLF2wssIDangJ3E 7nOtYOW8Ag4SR7/tYIUYv5pR4vy8J+wgCVEBHYnV+6ewQBQJSpyc+QTMZhbQklg+fRvLBEbB WUhSs5CkFjAyrWKUTcmt0s1NzMwpTk3WLU5OzMtLLdI10cvNLNFLTSndxAgKVE5J/h2M3w4q HWIU4GBU4uEtSLwZIsSaWFZcmXuIUZKDSUmUNzziVogQX1J+SmVGYnFGfFFpTmrxIUYJDmYl EV4VMaAcb0piZVVqUT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IE75FooEbBotT0 1Iq0zJwShDQTByfIcB6g4ZdBaniLCxJzizPTIfKnGBWlxHlbQBICIImM0jy4XlgiecUoDvSK MK8+SBUPMAnBdb8CGswENLig4AbI4JJEhJRUA+N88edvkvvU7IXr253525QLxbzrd//e2ZdZ svad68qiU5XrnRTc4rbMnW+aoy3xZEId/5xr89MNAhqXH7tt+UbxMserfa5/ZpeeudS188WH YHFzhoLF59xsJzpwRx2XupoYX2uwrGbSL6s3ETFunx/77c0KNjpsxcVj/+Sq7k7+taFHnovM lFFiKc5INNRiLipOBABtRAgM/wIAAA== Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 19:32:09 -0000 On Tue, 10 Feb 2015, Sascha Frey wrote: > Rick Macklem wrote: > > [...] > >> I found only one error message in /var/log/messages: > >> nfsd: can't register svc name > >> > >Well, this message indicates it isn't going to work. > >(This message means the nfsd couldn't register with the gssd daemon, > > so kerberized NFS won't work.) It is generated when the nfsd is > >started. > > > >The most common cause would be the gssd daemon not running when the > >nfsd daemon is started. If the gssd was running when the nfsd was started > >and this message is logged, there is a debug option on gssd that makes > >it chatty and that might indicate why it is failing. > > gssd was running before nfsd was started. > This message does not appear if nfsd starts without gssd running, > but it does appear as soon as gssd is started (if nfsd is already running). > > I started gssd in foreground mode (via gssd -d -v) > These messages appear when I start nfsd: > gssd_import_name: done major=0x0 minor=0 > gssd_acquire_cred: done major=0x70000 minor=0 > gssd_release_name: done major=0x0 minor=0 > gssd_import_name: done major=0x0 minor=0 > gssd_acquire_cred: done major=0x70000 minor=0 > gssd_release_name: done major=0x0 minor=0 > gssd_import_name: done major=0x0 minor=0 > gssd_acquire_cred: done major=0x70000 minor=0 > gssd_release_name: done major=0x0 minor=0 0x70000 is GSS_S_NO_CRED. Maybe you could truss or similar to find out what name it's trying to acquire credentials for? -Ben > No log output when trying to mount NFS share on the Linux machine. > > > I tried to mount it on the server itself. I'm able > to mount, but I can't access any files... > > [root@leonard ~]# mount -o sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > [root@leonard ~]# su - sfrey > [sfrey@leonard ~]$ kinit > sfrey@TECHFAK.UNI-BIELEFELD.DE's Password: > [sfrey@leonard ~]$ ls -lad /mnt > ls: /mnt: Permission denied > [sfrey@leonard ~]$ klist > Credentials cache: FILE:/tmp/krb5cc_21036 > Principal: sfrey@TECHFAK.UNI-BIELEFELD.DE > > Issued Expires Principal > Feb 10 08:54:31 2015 Feb 10 18:54:39 2015 krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > Feb 10 08:54:36 2015 Feb 10 18:54:39 2015 nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > > > >Also, there is this wiki. It is somewhat out of date, but I don't think > >anything has changed w.r.t. the server side. (I'm not sure what the > >current status is w.r.t. keytab entries encrypted in newer ways than > >des-cbc-crc is.) > >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > I'll take a look into it. Maybe I missed something. > > > > > Cheers, > Sascha > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >