From owner-freebsd-fs@FreeBSD.ORG Fri Feb 22 02:46:01 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4D798EAE for ; Fri, 22 Feb 2013 02:46:01 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id EC1BFEA2 for ; Fri, 22 Feb 2013 02:46:00 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqAEAIXbJlGDaFvO/2dsb2JhbABFhk66S4Efc4IfAQEEASNWBRYYAgINBQETAlkGiB8GDK0YkhuBI4wwgQc0BxIBghqBEwOIaY1NkF6DJYFMAQcXHg X-IronPort-AV: E=Sophos;i="4.84,713,1355115600"; d="scan'208";a="17724606" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 21 Feb 2013 21:45:59 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 9378DB3F13; Thu, 21 Feb 2013 21:45:59 -0500 (EST) Date: Thu, 21 Feb 2013 21:45:59 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86ip5lkvnm.wl%momchil@xaxo.eu> Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2013 02:46:01 -0000 Momchil Ivanov wrote: > At Thu, 21 Feb 2013 18:17:56 -0500 (EST), > Rick Macklem wrote: > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects > > a > > different security flavour (sys maybe) at some point in the mount. > > btw you have a typo, it's NFSERR_WRONGSEC. Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in the NFS sources, just to try and confuse you;-) > The problem is that I think > it would be hard for me to find the piece of code that issues it in my > case, so that I can understand why. Unfortunately, I am not familiar > with NFS and the kernel internals... and since there are a number of > places where it can be generated [1] and the machine that I am using > as a NFS server, is rather slow in compiling world... it would be hard > for me to instrument the code... > > > I can't remember if you posted your /etc/exports file before, but > > I suspect the file system referred by the root sepcified in the V4: > > line isn't allowing krb5i. For example, if you wanted to mount the > > file system rooted at /home by the above, you would need the > > following > > 2 lines in /etc/exports. > > > > /home -sec=krb5i > > V4: /home -sec=krb5i > > here is my /etc/exports: > > V4: /tank/storage -sec=krb5i:krb5p > /tank/storage -sec=krb5i:krb5p > Just as an experiment, you could try adding "sys" to the -sec list for both lines. If the mount works then, it would tell you that the client isn't successfully getting a Kerberos credential and is falling back to using "sys" (called AUTH_SYS in the RFCs, just for further confusion;-). > > You can list other security flavours for -sec, but krb5i needs to be > > one of them. > > > > rick > > ps: Don't worry about the "can't update /var/db/mounttab". It is > > basically harmless and can be fixed by allowing the user doing > > the mount write access to it. If you don't do that, then the > > mount will still work ok, it will just generate the message. > > I know this :) > > btw I have Kerberos working with sshd on the same machine, so I think > I have managed to set it up correctly... but the NFS server doesn't > want to work with Kerberos.. the changes you suggested were in the > right direction, since I can now see TGS-REQ lines in the KDC log, but > there might still be some bugs here, or I am doing something wrong... > > Ideas are welcomed :) I would be happy to get it working. > Check to see what the user's credential cache file is called. If you "ls -l /tmp" you should be able to find it. If it isn't called /tmp/krb5cc_, where is the uid for the user, then you will need the recent patch applied to the gssd.c that adds a "-s" option to search for the credential cache file in a list of directories. This patch is in head as r244604 and stable/9 as r245089, but not in any release. (Some sshds generate separate credential cache files for each login session, although not the default one in the system, as far as I understand.) rick > 1: http://fxr.watson.org/fxr/ident?v=FREEBSD9;i=NFSERR_WRONGSEC > > Thank you, > Momchil