Date: Fri, 22 Feb 2013 02:02:53 +0100 From: Momchil Ivanov <momchil@xaxo.eu> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org, Momchil Ivanov <momchil@xaxo.eu> Subject: Re: NFS + Kerberos Message-ID: <86ip5lkvnm.wl%momchil@xaxo.eu> In-Reply-To: <496437657.3199038.1361488676628.JavaMail.root@erie.cs.uoguelph.ca> References: <d112e84c5a294f5e009e8eac4eb0cf19.squirrel@webmail.xaxo.eu> <496437657.3199038.1361488676628.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At Thu, 21 Feb 2013 18:17:56 -0500 (EST), Rick Macklem wrote: > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects a > different security flavour (sys maybe) at some point in the mount. btw you have a typo, it's NFSERR_WRONGSEC. The problem is that I think it would be hard for me to find the piece of code that issues it in my case, so that I can understand why. Unfortunately, I am not familiar with NFS and the kernel internals... and since there are a number of places where it can be generated [1] and the machine that I am using as a NFS server, is rather slow in compiling world... it would be hard for me to instrument the code... > I can't remember if you posted your /etc/exports file before, but > I suspect the file system referred by the root sepcified in the V4: > line isn't allowing krb5i. For example, if you wanted to mount the > file system rooted at /home by the above, you would need the following > 2 lines in /etc/exports. > > /home -sec=krb5i <host-or-network> > V4: /home -sec=krb5i here is my /etc/exports: V4: /tank/storage -sec=krb5i:krb5p /tank/storage -sec=krb5i:krb5p > You can list other security flavours for -sec, but krb5i needs to be > one of them. > > rick > ps: Don't worry about the "can't update /var/db/mounttab". It is > basically harmless and can be fixed by allowing the user doing > the mount write access to it. If you don't do that, then the > mount will still work ok, it will just generate the message. I know this :) btw I have Kerberos working with sshd on the same machine, so I think I have managed to set it up correctly... but the NFS server doesn't want to work with Kerberos.. the changes you suggested were in the right direction, since I can now see TGS-REQ lines in the KDC log, but there might still be some bugs here, or I am doing something wrong... Ideas are welcomed :) I would be happy to get it working. 1: http://fxr.watson.org/fxr/ident?v=FREEBSD9;i=NFSERR_WRONGSEC Thank you, Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ip5lkvnm.wl%momchil>