From owner-freebsd-fs@FreeBSD.ORG Sat Feb 23 00:04:24 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E2BE4500 for ; Sat, 23 Feb 2013 00:04:24 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id ADAFD2FF for ; Sat, 23 Feb 2013 00:04:24 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqEEAOUFKFGDaFvO/2dsb2JhbABEhk64FYJagSJzgh8BAQQBI1YFFhgCAg0FARMCWQaIHwase5IggSOMMASBAzQHEgGCGoETA4hojVKQY4MlgUwBBxce X-IronPort-AV: E=Sophos;i="4.84,719,1355115600"; d="scan'208";a="15393134" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu.net.uoguelph.ca with ESMTP; 22 Feb 2013 19:04:23 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 352CBB41DC; Fri, 22 Feb 2013 19:04:23 -0500 (EST) Date: Fri, 22 Feb 2013 19:04:23 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <1103491143.3229700.1361577863159.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86txp4gpes.wl%momchil@xaxo.eu> Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org, Elias Martenson X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2013 00:04:24 -0000 Momchil Ivanov wrote: > At Thu, 21 Feb 2013 21:45:59 -0500 (EST), > Rick Macklem wrote: > > > > Momchil Ivanov wrote: > > > At Thu, 21 Feb 2013 18:17:56 -0500 (EST), > > > Rick Macklem wrote: > > > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server > > > > expects > > > > a > > > > different security flavour (sys maybe) at some point in the > > > > mount. > > > > > > btw you have a typo, it's NFSERR_WRONGSEC. > > Actually, it's called NFS4ERR_WRONGSEC in the RFC and > > NFSERR_WRONGSEC in > > the NFS sources, just to try and confuse you;-) > > ok :) > > > Just as an experiment, you could try adding "sys" to the -sec list > > for both lines. If the mount works then, it would tell you that the > > client isn't successfully getting a Kerberos credential and is > > falling back to using "sys" (called AUTH_SYS in the RFCs, just for > > further confusion;-). > > I can mount with the following /etc/exports file: > > V4: /tank/storage -sec=sys:krb5i:krb5p > /tank/storage -sec=sys:krb5i:krb5p > > and the command: > > mount -t nfs -o nfsv4,sec=sys srv.example.local:/ /mnt/srv > > and without a kerberos ticket I can also mount with: > > mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv > mount -t nfs -o nfsv4,sec=krb5p srv.example.local:/ /mnt/srv > > so it falls back to sys... > > ... > > > Check to see what the user's credential cache file is called. > > If you "ls -l /tmp" you should be able to find it. > > > > If it isn't called /tmp/krb5cc_, where is the uid for > > the user, then you will need the recent patch applied to the gssd.c > > that adds a "-s" option to search for the credential cache file in a > > list of > > directories. This patch is in head as r244604 and stable/9 as > > r245089, but not in any release. (Some sshds generate separate > > credential cache files for each login session, although not the > > default one in the system, as far as I understand.) > > on the client machine with FreeBSD 8.2-STABLE as of around Dec 2011, > the file exists and is /tmp/krb5cc_1001, where 1001 is the uid of the > user that I am using to mount the nfs file system. > Ok, so you don't need the "-s" option for the gssd. > I have also tried to mount the file system from the server (FreeBSD > 9.1) on the server itself using the same commands, I do get the > nfs/srv.example.local@EXAMPLE.LOCAL ticket, but it dies with the same > error: > > nfsv4 err=10016 > mount_nfs: /mnt/srv, : Input/output error > > is there some way I can get verbose output from nfsd or gssd that > tells me why it is failing, or do you have any other ideas :) ? > You can run "gssd -d -d" and it will run in foreground and print out messages related to resource allocation. This isn't much use, except to tell you that it is doing something. (Adding a "verbose" option is on my "to do" list, but I don't have any code at this time. If someone wants to do this, I think it would be great.) If you do this, don't have it started at boot (gssd_enable="NO" in /etc/rc.conf) and then do the above command as root in a window before attempting the mount command. Beyond that, you could add printfs to gssd.c. The main client side function is gssd_init_sec_context(), which should get the Kerberos ticket for a user via their TGT. I've added Elias to the cc list, since he just went through this and might be able to help. rick > Thank you, > Momchil