From owner-freebsd-fs@freebsd.org Mon May 2 23:57:49 2016 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71302B2AE22 for ; Mon, 2 May 2016 23:57:49 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 1ED781CCF for ; Mon, 2 May 2016 23:57:48 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:I3zMzRNVKvg6qL8ffiAl6mtUPXoX/o7sNwtQ0KIMzox0KPv9rarrMEGX3/hxlliBBdydsKIUzbuM+Pq5EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35Txhrr5ocSbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6LoJvvRNWqTifqk+UacQTHF/azh0t4XXskzhUA+O731Ue2MaiBdKS1zH8Rj8dov/9Db8t69+2SSee8H7G+MaQzOnup1qQxygrS4MNDo09SmDkMl5h6FfrReJuhtw3oPQeIHTP/MoLfCVRs8TWWcUBpUZbCdGGI7pKtJXV+c= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DOAQAI6SdX/61jaINehQ65dQENgXaGEAKBbxQBAQEBAQEBAWQngi2CFAEBAQMBIwRSBQsCAQgOCgICDRkCAlcCBC6IBwiqEZEbAQEBAQEBAQMBAQEBAQEafIUlgX6CToQngxaCVgWHdIcViQudKY8vAh4BAUKEByCIOH8BAQE X-IronPort-AV: E=Sophos;i="5.24,570,1454994000"; d="scan'208";a="281292785" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 02 May 2016 19:57:42 -0400 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 2A61315F565; Mon, 2 May 2016 19:57:42 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id k3Fb-xdTa9zG; Mon, 2 May 2016 19:57:41 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 8D29A15F56E; Mon, 2 May 2016 19:57:41 -0400 (EDT) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3rBffCkqD_qm; Mon, 2 May 2016 19:57:41 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 6945915F565; Mon, 2 May 2016 19:57:41 -0400 (EDT) Date: Mon, 2 May 2016 19:57:41 -0400 (EDT) From: Rick Macklem To: Julian Andrej Cc: freebsd-fs@freebsd.org Message-ID: <1208197890.85963163.1462233461385.JavaMail.zimbra@uoguelph.ca> In-Reply-To: References: Subject: Re: Mounting FreeBSD NFSv4 share on Linux using krb5 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.12] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF45 (Win)/8.0.9_GA_6191) Thread-Topic: Mounting FreeBSD NFSv4 share on Linux using krb5 Thread-Index: 4ZFqSXNEWLCUxiJGC7t0/nNDSClxfQ== X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2016 23:57:49 -0000 Julian Andrej wrote: > Hello, > > i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux > client using sec=krb5. > > So my setup is as follows: > FreeBSD host which is the KDC. Linux client which can auth via > kerberos and should be able to mount the nfs share. > > Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box > is no problem, but it fails on the linux client. The client fails with > > $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv > mount.nfs4: timeout set for Mon May 2 15:39:19 2016 > mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***' > mount.nfs4: mount(2): Input/output error > mount.nfs4: mount system call failed > > and on the FreeBSD host i get the message > > gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227 The host based credential maps to "nobody", since it isn't in the passwd database. I'm not sure, but I think that is all this is saying (ie. not what is causing the mount to fail). Someone else discovered that a Linux client actually used krb5i even when krb5 was specified. --> Make sure the /etc/exports on the FreeBSD server specifies sec=krb5i,krb5 (and not sec=krb5) --> This will work around this issue. - If you already have both krb5,krb5i specified in your /etc/exports then I have no idea what the failure is. - A first step is capturing packets (all of them and not just the NFS ones) and then looking at them in wireshark. Hopefully that will give you some idea where it is failing. Good luck. It can bvery difficult to figure out what is causing the failure. Linux clients have been known to work, but I have no idea if all/current ones do? rick > gssd_release_name: done major=0x0 minor=0 > gssd_release_cred: done major=0x0 minor=0 > > which translates to KRB5_NO_LOCALNAME. I have the appropriate > principals with nfs/* for the host and client! > > I have tried heimdal from base and MIT krb5 from ports. Both show the > same behavior. > > The actual kernel log from linux is: > Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking > unhandled error -121. Exiting with error EIO > > Can anyone guide me to a possible solution here? > > Regards > Julian >