Date: Fri, 22 Feb 2013 19:43:39 +0100 From: Momchil Ivanov <momchil@xaxo.eu> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org, Momchil Ivanov <momchil@xaxo.eu> Subject: Re: NFS + Kerberos Message-ID: <86txp4gpes.wl%momchil@xaxo.eu> In-Reply-To: <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca> References: <86ip5lkvnm.wl%momchil@xaxo.eu> <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At Thu, 21 Feb 2013 21:45:59 -0500 (EST), Rick Macklem wrote: > > Momchil Ivanov wrote: > > At Thu, 21 Feb 2013 18:17:56 -0500 (EST), > > Rick Macklem wrote: > > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects > > > a > > > different security flavour (sys maybe) at some point in the mount. > > > > btw you have a typo, it's NFSERR_WRONGSEC. > Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in > the NFS sources, just to try and confuse you;-) ok :) > Just as an experiment, you could try adding "sys" to the -sec list > for both lines. If the mount works then, it would tell you that the > client isn't successfully getting a Kerberos credential and is > falling back to using "sys" (called AUTH_SYS in the RFCs, just for > further confusion;-). I can mount with the following /etc/exports file: V4: /tank/storage -sec=sys:krb5i:krb5p /tank/storage -sec=sys:krb5i:krb5p and the command: mount -t nfs -o nfsv4,sec=sys srv.example.local:/ /mnt/srv and without a kerberos ticket I can also mount with: mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv mount -t nfs -o nfsv4,sec=krb5p srv.example.local:/ /mnt/srv so it falls back to sys... ... > Check to see what the user's credential cache file is called. > If you "ls -l /tmp" you should be able to find it. > > If it isn't called /tmp/krb5cc_<uid>, where <uid> is the uid for > the user, then you will need the recent patch applied to the gssd.c > that adds a "-s" option to search for the credential cache file in a list of > directories. This patch is in head as r244604 and stable/9 as > r245089, but not in any release. (Some sshds generate separate > credential cache files for each login session, although not the > default one in the system, as far as I understand.) on the client machine with FreeBSD 8.2-STABLE as of around Dec 2011, the file exists and is /tmp/krb5cc_1001, where 1001 is the uid of the user that I am using to mount the nfs file system. I have also tried to mount the file system from the server (FreeBSD 9.1) on the server itself using the same commands, I do get the nfs/srv.example.local@EXAMPLE.LOCAL ticket, but it dies with the same error: nfsv4 err=10016 mount_nfs: /mnt/srv, : Input/output error is there some way I can get verbose output from nfsd or gssd that tells me why it is failing, or do you have any other ideas :) ? Thank you, Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86txp4gpes.wl%momchil>