Date: Tue, 10 Feb 2015 18:33:36 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Benjamin Kaduk <kaduk@MIT.EDU> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box Message-ID: <1803458422.716795.1423611216530.JavaMail.root@uoguelph.ca> In-Reply-To: <alpine.GSO.1.10.1502101430460.3953@multics.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Benjamin Kaduk wrote: > On Tue, 10 Feb 2015, Sascha Frey wrote: > > > Rick Macklem wrote: > > > > [...] > > >> I found only one error message in /var/log/messages: > > >> nfsd: can't register svc name > > >> > > >Well, this message indicates it isn't going to work. > > >(This message means the nfsd couldn't register with the gssd > > >daemon, > > > so kerberized NFS won't work.) It is generated when the nfsd is > > >started. > > > > > >The most common cause would be the gssd daemon not running when > > >the > > >nfsd daemon is started. If the gssd was running when the nfsd was > > >started > > >and this message is logged, there is a debug option on gssd that > > >makes > > >it chatty and that might indicate why it is failing. > > > > gssd was running before nfsd was started. > > This message does not appear if nfsd starts without gssd running, > > but it does appear as soon as gssd is started (if nfsd is already > > running). > > > > I started gssd in foreground mode (via gssd -d -v) > > These messages appear when I start nfsd: > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > 0x70000 is GSS_S_NO_CRED. > Yea, unfortunately I think you'll find that this is the catch-all when you dig into the Heimdal library. (All the gssd does is take the upcalled arguments and do the call against the library. This is the reply the gss_acquire_cred() library call made. Why isn't it working? I have no idea. It is strange that "kinit -k ..." works, but this does not. One thing to check is to see if the keytab entry has multiple encryption types in it. If it does, you might want to re-create the keytab entry with only the default encryption type (as set in the NFS server's /etc/krb.conf). I have seen problems when the keytab entry has multiple encryption types, but I'm not sure what was broken. Another simple thing to check is "# hostname" and make sure it has "leonard.fs.cit-ec.net" and not "leonard", since it will use nfs@<hostname> as the host-based name and the <hostname> must be the fully qualified domain name. > Maybe you could truss or similar to find out what name it's trying to > acquire credentials for? > It should be nfs@leonard.fs.cit-ec.net (or nfs/leonard.fs.cit-ec.net@<default-realm> if written in the Kerberos mechanism's way). However, it can't hurt to check and if it isn't the above, that would explain why it isn't working. > -Ben > > > No log output when trying to mount NFS share on the Linux machine. > > > > > > I tried to mount it on the server itself. I'm able > > to mount, but I can't access any files... > > > > [root@leonard ~]# mount -o sec=krb5 > > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > > [root@leonard ~]# su - sfrey > > [sfrey@leonard ~]$ kinit > > sfrey@TECHFAK.UNI-BIELEFELD.DE's Password: > > [sfrey@leonard ~]$ ls -lad /mnt > > ls: /mnt: Permission denied Yea, the FreeBSD client (I didn't choose to code it this way) falls back to AUTH_SYS when Kerberos doesn't work. I suspect if you looked at a packet trace in wireshark, you'd see it trying AUTH_SYS for this. rick > > [sfrey@leonard ~]$ klist > > Credentials cache: FILE:/tmp/krb5cc_21036 > > Principal: sfrey@TECHFAK.UNI-BIELEFELD.DE > > > > Issued Expires Principal > > Feb 10 08:54:31 2015 Feb 10 18:54:39 2015 > > krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > > Feb 10 08:54:36 2015 Feb 10 18:54:39 2015 > > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > > > > > > >Also, there is this wiki. It is somewhat out of date, but I don't > > >think > > >anything has changed w.r.t. the server side. (I'm not sure what > > >the > > >current status is w.r.t. keytab entries encrypted in newer ways > > >than > > >des-cbc-crc is.) > > >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > > > I'll take a look into it. Maybe I missed something. > > > > > > > > > > Cheers, > > Sascha > > _______________________________________________ > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to > > "freebsd-fs-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1803458422.716795.1423611216530.JavaMail.root>