Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Oct 2010 08:56:23 -0400 (EDT)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Giulio Ferro <auryn@zirakzigil.org>
Cc:        freebsd-net@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: nfsv4 with kgssapi
Message-ID:  <933937287.513420.1286888183571.JavaMail.root@erie.cs.uoguelph.ca>
In-Reply-To: <4CB457C4.2020205@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> I'm trying to setup a nfs server which uses the kerberized rpc
> header, so to overcome the problem with 16 groups:
> 
> http://www.mail-archive.com/freebsd-stable@freebsd.org/msg109809.html
> 
> 
> FreeBSD 8 amd64 stable last (yesterday)
> 
> Following the man page for nfsv4 I have compiled the kernel with
> -----
> options KGSSAPI
> device crypto
> -----
> 
> My files:
> 
> 
> /etc/exports
> -----
> V4: /mydir -sec=krb5:krb5i:krb5p -network 192.168.0 -mask
> 255.255.255.0

You also need an entry for the file system ("/mydir" ??) like:
/mydir -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0

(The V4: line only sets where the NFSv4 root is, it does not
actually export the file system, so something like the above line
is needed as well.)
> 
> /etc/rc.conf
> -----
> ...
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfsuserd_enable="YES"
> gssd_enable="YES"
> ...
> -----
> 
> All daemons start ok, but in the logs I see:
> nfsd[...]: no gssd, using AUTH_SYS only
> 
> Even though gssd is up and running.
> 
You need an entry in your default keytab file (/etc/krb5.keytab)
for the principal:
  nfs/<server.domain>@<YOUR.REALM>
using encryption type des-cbc-crc.

If you don't have that, it might explain why it isn't working.

Check /var/log/messages for any indications that there is
a problem.

Also, you might want to look at
  http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

if you haven't done so already.

Good luck with it, rick
ps: Kerberized NFS works for NFSv3 as well.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?933937287.513420.1286888183571.JavaMail.root>