Date: Mon, 2 May 2016 19:57:41 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Julian Andrej <juan@tf.uni-kiel.de> Cc: freebsd-fs@freebsd.org Subject: Re: Mounting FreeBSD NFSv4 share on Linux using krb5 Message-ID: <1208197890.85963163.1462233461385.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <CABFzUT1tn5MsDrfSYnHT%2BOA5o23inbtp7hSWHRw0RMzSH_6Ecw@mail.gmail.com> References: <CABFzUT1tn5MsDrfSYnHT%2BOA5o23inbtp7hSWHRw0RMzSH_6Ecw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Andrej wrote:
> Hello,
>
> i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
> client using sec=krb5.
>
> So my setup is as follows:
> FreeBSD host which is the KDC. Linux client which can auth via
> kerberos and should be able to mount the nfs share.
>
> Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
> is no problem, but it fails on the linux client. The client fails with
>
> $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
> mount.nfs4: timeout set for Mon May 2 15:39:19 2016
> mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
> mount.nfs4: mount(2): Input/output error
> mount.nfs4: mount system call failed
>
> and on the FreeBSD host i get the message
>
> gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
The host based credential maps to "nobody", since it isn't in
the passwd database. I'm not sure, but I think that is all this
is saying (ie. not what is causing the mount to fail).
Someone else discovered that a Linux client actually used krb5i even
when krb5 was specified.
--> Make sure the /etc/exports on the FreeBSD server specifies
sec=krb5i,krb5 (and not sec=krb5)
--> This will work around this issue.
- If you already have both krb5,krb5i specified in your /etc/exports
then I have no idea what the failure is.
- A first step is capturing packets (all of them and not just the
NFS ones) and then looking at them in wireshark. Hopefully that
will give you some idea where it is failing.
Good luck. It can bvery difficult to figure out what is causing the
failure. Linux clients have been known to work, but I have no idea if
all/current ones do?
rick
> gssd_release_name: done major=0x0 minor=0
> gssd_release_cred: done major=0x0 minor=0
>
> which translates to KRB5_NO_LOCALNAME. I have the appropriate
> principals with nfs/* for the host and client!
>
> I have tried heimdal from base and MIT krb5 from ports. Both show the
> same behavior.
>
> The actual kernel log from linux is:
> Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking
> unhandled error -121. Exiting with error EIO
>
> Can anyone guide me to a possible solution here?
>
> Regards
> Julian
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1208197890.85963163.1462233461385.JavaMail.zimbra>