From owner-freebsd-fs@FreeBSD.ORG Tue Feb 10 23:33:44 2015 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20A547E7 for ; Tue, 10 Feb 2015 23:33:44 +0000 (UTC) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id C96F5BA8 for ; Tue, 10 Feb 2015 23:33:43 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2ALBQCPlNpU/95baINbDoNKWgSCfcALCoUnSgKBYwEBAQEBAXyEDAEBAQMBAQEBICsgCwUWGAICDQcMBgIpAQkmBggHBAEcBIgECA26IYUtkSMBAQEBAQEBAQEBAQEBAQEBAQEBARiBIY4FAQEbNAcYglCBQgWKKohHgz6DbZEoIoMxWyAxAQaBBDl/AQEB X-IronPort-AV: E=Sophos;i="5.09,553,1418101200"; d="scan'208";a="191849185" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-annu.net.uoguelph.ca with ESMTP; 10 Feb 2015 18:33:36 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 84F8CB3F0B; Tue, 10 Feb 2015 18:33:36 -0500 (EST) Date: Tue, 10 Feb 2015 18:33:36 -0500 (EST) From: Rick Macklem To: Benjamin Kaduk Message-ID: <1803458422.716795.1423611216530.JavaMail.root@uoguelph.ca> In-Reply-To: Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 23:33:44 -0000 Benjamin Kaduk wrote: > On Tue, 10 Feb 2015, Sascha Frey wrote: > > > Rick Macklem wrote: > > > > [...] > > >> I found only one error message in /var/log/messages: > > >> nfsd: can't register svc name > > >> > > >Well, this message indicates it isn't going to work. > > >(This message means the nfsd couldn't register with the gssd > > >daemon, > > > so kerberized NFS won't work.) It is generated when the nfsd is > > >started. > > > > > >The most common cause would be the gssd daemon not running when > > >the > > >nfsd daemon is started. If the gssd was running when the nfsd was > > >started > > >and this message is logged, there is a debug option on gssd that > > >makes > > >it chatty and that might indicate why it is failing. > > > > gssd was running before nfsd was started. > > This message does not appear if nfsd starts without gssd running, > > but it does appear as soon as gssd is started (if nfsd is already > > running). > > > > I started gssd in foreground mode (via gssd -d -v) > > These messages appear when I start nfsd: > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > gssd_import_name: done major=0x0 minor=0 > > gssd_acquire_cred: done major=0x70000 minor=0 > > gssd_release_name: done major=0x0 minor=0 > > 0x70000 is GSS_S_NO_CRED. > Yea, unfortunately I think you'll find that this is the catch-all when you dig into the Heimdal library. (All the gssd does is take the upcalled arguments and do the call against the library. This is the reply the gss_acquire_cred() library call made. Why isn't it working? I have no idea. It is strange that "kinit -k ..." works, but this does not. One thing to check is to see if the keytab entry has multiple encryption types in it. If it does, you might want to re-create the keytab entry with only the default encryption type (as set in the NFS server's /etc/krb.conf). I have seen problems when the keytab entry has multiple encryption types, but I'm not sure what was broken. Another simple thing to check is "# hostname" and make sure it has "leonard.fs.cit-ec.net" and not "leonard", since it will use nfs@ as the host-based name and the must be the fully qualified domain name. > Maybe you could truss or similar to find out what name it's trying to > acquire credentials for? > It should be nfs@leonard.fs.cit-ec.net (or nfs/leonard.fs.cit-ec.net@ if written in the Kerberos mechanism's way). However, it can't hurt to check and if it isn't the above, that would explain why it isn't working. > -Ben > > > No log output when trying to mount NFS share on the Linux machine. > > > > > > I tried to mount it on the server itself. I'm able > > to mount, but I can't access any files... > > > > [root@leonard ~]# mount -o sec=krb5 > > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > > [root@leonard ~]# su - sfrey > > [sfrey@leonard ~]$ kinit > > sfrey@TECHFAK.UNI-BIELEFELD.DE's Password: > > [sfrey@leonard ~]$ ls -lad /mnt > > ls: /mnt: Permission denied Yea, the FreeBSD client (I didn't choose to code it this way) falls back to AUTH_SYS when Kerberos doesn't work. I suspect if you looked at a packet trace in wireshark, you'd see it trying AUTH_SYS for this. rick > > [sfrey@leonard ~]$ klist > > Credentials cache: FILE:/tmp/krb5cc_21036 > > Principal: sfrey@TECHFAK.UNI-BIELEFELD.DE > > > > Issued Expires Principal > > Feb 10 08:54:31 2015 Feb 10 18:54:39 2015 > > krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > > Feb 10 08:54:36 2015 Feb 10 18:54:39 2015 > > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > > > > > > >Also, there is this wiki. It is somewhat out of date, but I don't > > >think > > >anything has changed w.r.t. the server side. (I'm not sure what > > >the > > >current status is w.r.t. keytab entries encrypted in newer ways > > >than > > >des-cbc-crc is.) > > >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > > > I'll take a look into it. Maybe I missed something. > > > > > > > > > > Cheers, > > Sascha > > _______________________________________________ > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to > > "freebsd-fs-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >