Date: Fri, 19 Feb 2010 16:47:33 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: mountd segfaults in NFSv4 if -alldirs is present in exports Message-ID: <Pine.GSO.4.63.1002191632540.6264@muncher.cs.uoguelph.ca> In-Reply-To: <4B7ED454.3020404@eng.auth.gr> References: <4B7EB1E5.3080907@eng.auth.gr> <Pine.GSO.4.63.1002191115330.24826@muncher.cs.uoguelph.ca> <4B7ED454.3020404@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Feb 2010, George Mamalakis wrote: > > question 1) > > I want to export my /export directory with -sec=krb5 to my clients, and the > configuration of my server and client is respectively as follows: > > - server: > /etc/exports: > V4: / -sec=krb5 > /export You need "-sec=krb5" on the /export line as well. For example: V4: / -sec=krb5 /export -sec=krb5 > > /etc/rc.conf > rpcbind_enable="YES" > mountd_flags="-e" > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfsuserd_enable="YES" > gssd_enable="YES" > > KERNEL: > options NFSD > options KGSSAPI > device crypto > > -client: > rc.conf: > gssd_enable="YES" > nfsuserd_enable="YES" > nfsclient_enable="YES" > rpcbind_enable="YES" > nfs_client_flags="-n 4" > rpc_statd_enable="YES" > rpc_lockd_enable="YES" > > KERNEL: > options KGSSAPI > device crypto > all the above looks ok, at a glance. > As I said, heimdal seems to work fine, all keytabs are where they should be, > and I don't know how to mount the partition to my client. When I run: > > [root@fbsdclient ~]# mount_newnfs -onfsv4,sec=krb5 filesrv.ee.auth.gr:/export > /mnt > nfsv4 err=10016 > mount_newnfs: /mnt, : Input/output error > Unless you have applied the experimental patch that allows host based client side credentials, mounting as root isn't going to work. Have you looked at: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup You basically have to do the mount as a non-root user after that user has acquired a valid TGT. > An I/O error I receive if I use opensolaris as a client. The kdc.log shows > that the clients request the nfs server's ticket (2010-02-19T19:56:29 TGS-REQ > mamalos@EE.AUTH.GR from IPv4:192.168.100.11 for > nfs/filesrv.ee.auth.gr@EE.AUTH.GR), so things should be working that far, but > then they refuse to mount the partition. > > If I export the partition with sec=sys and try to mount it with sec=sys, it > works fine. > On the server, do you have a keytab entry for nfs/filesrv.ee.auth.gr@EE.AUTH.GR in its default keytab file (/etc/krb5.keytab) with encryption type des-crc-cbc? > question 2) > At the end of nfsv4(4) man page (in the BUGS session) it states: > > "At this time, there is no recall of delegations for local file system > operations. As such, delegations should only be enabled for file systems > that are being used soley as NFS export volumes and are not being > accessed via local system calls nor services such as Samba." > > Does this mean that if I manage to export my /home filesystem eventually, and > my mailserver copies the emails to my users' maildirs (located in their home > folder), or through another nfs mount, or a user is connected to his/her > account both through nfsv4 and samba, then there will be a serious problem? > Potential problem if you enable delegations. I think they're disabled by default. (do a "sysctl -a | grep newnfs" and look at them) > Should I setup the nfs server in solaris and use bsd/linux nfs4 clients > instead, to be sure that I will have no corrupted filesystems, etc? Have you > tried mounting solaris-nfsv4 exported filesystems with the fbsd nfsclient and > sec>=krb5? > I do quite a bit of testing against Solaris10, so I wouldn't expect a problem if you use a Solaris server and fbsd8 client. Good luck with it, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1002191632540.6264>