From owner-freebsd-stable@FreeBSD.ORG Fri Feb 19 21:35:51 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91BA01065697 for ; Fri, 19 Feb 2010 21:35:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 461598FC30 for ; Fri, 19 Feb 2010 21:35:50 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAA6TfkuDaFvK/2dsb2JhbACbCXOwdQiNC4JPDgiCAgSDFQ X-IronPort-AV: E=Sophos;i="4.49,505,1262581200"; d="scan'208";a="66198108" Received: from fraser.cs.uoguelph.ca ([131.104.91.202]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 19 Feb 2010 16:35:50 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by fraser.cs.uoguelph.ca (Postfix) with ESMTP id 68F1F109C285; Fri, 19 Feb 2010 16:35:50 -0500 (EST) X-Virus-Scanned: amavisd-new at fraser.cs.uoguelph.ca Received: from fraser.cs.uoguelph.ca ([127.0.0.1]) by localhost (fraser.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHvr+Pl0XwUu; Fri, 19 Feb 2010 16:35:49 -0500 (EST) Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102]) by fraser.cs.uoguelph.ca (Postfix) with ESMTP id A158B109C26F; Fri, 19 Feb 2010 16:35:49 -0500 (EST) Received: from localhost (rmacklem@localhost) by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id o1JLlXd08526; Fri, 19 Feb 2010 16:47:33 -0500 (EST) X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing -bs Date: Fri, 19 Feb 2010 16:47:33 -0500 (EST) From: Rick Macklem X-X-Sender: rmacklem@muncher.cs.uoguelph.ca To: George Mamalakis In-Reply-To: <4B7ED454.3020404@eng.auth.gr> Message-ID: References: <4B7EB1E5.3080907@eng.auth.gr> <4B7ED454.3020404@eng.auth.gr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable Subject: Re: mountd segfaults in NFSv4 if -alldirs is present in exports X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 21:35:51 -0000 On Fri, 19 Feb 2010, George Mamalakis wrote: > > question 1) > > I want to export my /export directory with -sec=krb5 to my clients, and the > configuration of my server and client is respectively as follows: > > - server: > /etc/exports: > V4: / -sec=krb5 > /export You need "-sec=krb5" on the /export line as well. For example: V4: / -sec=krb5 /export -sec=krb5 > > /etc/rc.conf > rpcbind_enable="YES" > mountd_flags="-e" > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfsuserd_enable="YES" > gssd_enable="YES" > > KERNEL: > options NFSD > options KGSSAPI > device crypto > > -client: > rc.conf: > gssd_enable="YES" > nfsuserd_enable="YES" > nfsclient_enable="YES" > rpcbind_enable="YES" > nfs_client_flags="-n 4" > rpc_statd_enable="YES" > rpc_lockd_enable="YES" > > KERNEL: > options KGSSAPI > device crypto > all the above looks ok, at a glance. > As I said, heimdal seems to work fine, all keytabs are where they should be, > and I don't know how to mount the partition to my client. When I run: > > [root@fbsdclient ~]# mount_newnfs -onfsv4,sec=krb5 filesrv.ee.auth.gr:/export > /mnt > nfsv4 err=10016 > mount_newnfs: /mnt, : Input/output error > Unless you have applied the experimental patch that allows host based client side credentials, mounting as root isn't going to work. Have you looked at: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup You basically have to do the mount as a non-root user after that user has acquired a valid TGT. > An I/O error I receive if I use opensolaris as a client. The kdc.log shows > that the clients request the nfs server's ticket (2010-02-19T19:56:29 TGS-REQ > mamalos@EE.AUTH.GR from IPv4:192.168.100.11 for > nfs/filesrv.ee.auth.gr@EE.AUTH.GR), so things should be working that far, but > then they refuse to mount the partition. > > If I export the partition with sec=sys and try to mount it with sec=sys, it > works fine. > On the server, do you have a keytab entry for nfs/filesrv.ee.auth.gr@EE.AUTH.GR in its default keytab file (/etc/krb5.keytab) with encryption type des-crc-cbc? > question 2) > At the end of nfsv4(4) man page (in the BUGS session) it states: > > "At this time, there is no recall of delegations for local file system > operations. As such, delegations should only be enabled for file systems > that are being used soley as NFS export volumes and are not being > accessed via local system calls nor services such as Samba." > > Does this mean that if I manage to export my /home filesystem eventually, and > my mailserver copies the emails to my users' maildirs (located in their home > folder), or through another nfs mount, or a user is connected to his/her > account both through nfsv4 and samba, then there will be a serious problem? > Potential problem if you enable delegations. I think they're disabled by default. (do a "sysctl -a | grep newnfs" and look at them) > Should I setup the nfs server in solaris and use bsd/linux nfs4 clients > instead, to be sure that I will have no corrupted filesystems, etc? Have you > tried mounting solaris-nfsv4 exported filesystems with the fbsd nfsclient and > sec>=krb5? > I do quite a bit of testing against Solaris10, so I wouldn't expect a problem if you use a Solaris server and fbsd8 client. Good luck with it, rick