From owner-freebsd-fs@FreeBSD.ORG Fri Feb 22 18:43:51 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0F0E54BD for ; Fri, 22 Feb 2013 18:43:51 +0000 (UTC) (envelope-from momchil@xaxo.eu) Received: from vps2.xaxo.eu (vps2.xaxo.eu [78.47.156.66]) by mx1.freebsd.org (Postfix) with ESMTP id 79D641FB for ; Fri, 22 Feb 2013 18:43:49 +0000 (UTC) Received: from t61.xaxo.eu ([10.75.23.6]) by vps2.xaxo.eu (8.14.4/8.14.4) with ESMTP id r1MIhlvj001957; Fri, 22 Feb 2013 19:43:48 +0100 (CET) (envelope-from momchil@xaxo.eu) Date: Fri, 22 Feb 2013 19:43:39 +0100 Message-ID: <86txp4gpes.wl%momchil@xaxo.eu> From: Momchil Ivanov To: Rick Macklem Subject: Re: NFS + Kerberos In-Reply-To: <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca> References: <86ip5lkvnm.wl%momchil@xaxo.eu> <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca> MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-fs@freebsd.org, Momchil Ivanov X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2013 18:43:51 -0000 At Thu, 21 Feb 2013 21:45:59 -0500 (EST), Rick Macklem wrote: > > Momchil Ivanov wrote: > > At Thu, 21 Feb 2013 18:17:56 -0500 (EST), > > Rick Macklem wrote: > > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects > > > a > > > different security flavour (sys maybe) at some point in the mount. > > > > btw you have a typo, it's NFSERR_WRONGSEC. > Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in > the NFS sources, just to try and confuse you;-) ok :) > Just as an experiment, you could try adding "sys" to the -sec list > for both lines. If the mount works then, it would tell you that the > client isn't successfully getting a Kerberos credential and is > falling back to using "sys" (called AUTH_SYS in the RFCs, just for > further confusion;-). I can mount with the following /etc/exports file: V4: /tank/storage -sec=sys:krb5i:krb5p /tank/storage -sec=sys:krb5i:krb5p and the command: mount -t nfs -o nfsv4,sec=sys srv.example.local:/ /mnt/srv and without a kerberos ticket I can also mount with: mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv mount -t nfs -o nfsv4,sec=krb5p srv.example.local:/ /mnt/srv so it falls back to sys... ... > Check to see what the user's credential cache file is called. > If you "ls -l /tmp" you should be able to find it. > > If it isn't called /tmp/krb5cc_, where is the uid for > the user, then you will need the recent patch applied to the gssd.c > that adds a "-s" option to search for the credential cache file in a list of > directories. This patch is in head as r244604 and stable/9 as > r245089, but not in any release. (Some sshds generate separate > credential cache files for each login session, although not the > default one in the system, as far as I understand.) on the client machine with FreeBSD 8.2-STABLE as of around Dec 2011, the file exists and is /tmp/krb5cc_1001, where 1001 is the uid of the user that I am using to mount the nfs file system. I have also tried to mount the file system from the server (FreeBSD 9.1) on the server itself using the same commands, I do get the nfs/srv.example.local@EXAMPLE.LOCAL ticket, but it dies with the same error: nfsv4 err=10016 mount_nfs: /mnt/srv, : Input/output error is there some way I can get verbose output from nfsd or gssd that tells me why it is failing, or do you have any other ideas :) ? Thank you, Momchil