Date: Tue, 3 May 2016 08:27:21 +0200 From: Julian Andrej <juan@tf.uni-kiel.de> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: Mounting FreeBSD NFSv4 share on Linux using krb5 Message-ID: <CABFzUT1Hi1yqCb_Mn4rewZurdO9WREBZ64kmNFTQFaf0PvPoVg@mail.gmail.com> In-Reply-To: <1208197890.85963163.1462233461385.JavaMail.zimbra@uoguelph.ca> References: <CABFzUT1tn5MsDrfSYnHT%2BOA5o23inbtp7hSWHRw0RMzSH_6Ecw@mail.gmail.com> <1208197890.85963163.1462233461385.JavaMail.zimbra@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks. I will try your suggestions. I got the mount working adding "-o vers=3" to the mount. But i have not enough experience to really figure out if the "handshake" worked. This way i can mount the share AND i need a user TGT to access the mount, so i guess this i correct? On Tue, May 3, 2016 at 1:57 AM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > Julian Andrej wrote: >> Hello, >> >> i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux >> client using sec=krb5. >> >> So my setup is as follows: >> FreeBSD host which is the KDC. Linux client which can auth via >> kerberos and should be able to mount the nfs share. >> >> Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box >> is no problem, but it fails on the linux client. The client fails with >> >> $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv >> mount.nfs4: timeout set for Mon May 2 15:39:19 2016 >> mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***' >> mount.nfs4: mount(2): Input/output error >> mount.nfs4: mount system call failed >> >> and on the FreeBSD host i get the message >> >> gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227 > The host based credential maps to "nobody", since it isn't in > the passwd database. I'm not sure, but I think that is all this > is saying (ie. not what is causing the mount to fail). > > Someone else discovered that a Linux client actually used krb5i even > when krb5 was specified. > --> Make sure the /etc/exports on the FreeBSD server specifies > sec=krb5i,krb5 (and not sec=krb5) > --> This will work around this issue. > - If you already have both krb5,krb5i specified in your /etc/exports > then I have no idea what the failure is. > - A first step is capturing packets (all of them and not just the > NFS ones) and then looking at them in wireshark. Hopefully that > will give you some idea where it is failing. > > Good luck. It can bvery difficult to figure out what is causing the > failure. Linux clients have been known to work, but I have no idea if > all/current ones do? > > rick > >> gssd_release_name: done major=0x0 minor=0 >> gssd_release_cred: done major=0x0 minor=0 >> >> which translates to KRB5_NO_LOCALNAME. I have the appropriate >> principals with nfs/* for the host and client! >> >> I have tried heimdal from base and MIT krb5 from ports. Both show the >> same behavior. >> >> The actual kernel log from linux is: >> Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking >> unhandled error -121. Exiting with error EIO >> >> Can anyone guide me to a possible solution here? >> >> Regards >> Julian >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABFzUT1Hi1yqCb_Mn4rewZurdO9WREBZ64kmNFTQFaf0PvPoVg>