From owner-freebsd-fs@freebsd.org  Tue May  3 12:32:34 2016
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89B3CB2BC79
 for <freebsd-fs@mailman.ysv.freebsd.org>; Tue,  3 May 2016 12:32:34 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca
 [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 1D8AE1894
 for <freebsd-fs@freebsd.org>; Tue,  3 May 2016 12:32:33 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
IronPort-PHdr: 9a23:aTgEvhIpgBtwfvDTMdmcpTZWNBhigK39O0sv0rFitYgULfrxwZ3uMQTl6Ol3ixeRBMOAu6MC07Kd6PuocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBybrysXNWC3oLvj6vpoNX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4DveSQqG4DM1VGkMnxgAVwrY5RfSQpm3ry378+l81S3cMcCgHp4uXjH31aZgS1fNgSwEMzM8uDXNj8V7j6ZWpTq8oBNizorMYMeePawtLevmYdoGSD8ZDY5qXCtbD9b5NtNXAg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2A7AgAmmShX/61jaINehAt9AQW6CgENgXYkhWwCgXcUAQEBAQEBAQFkJ4ItghQBAQEDASMEUgULAgEIDgoCAg0ZAgJXAgQTG4gHCA6peZEiAQEBAQEBBAEBAQEBARp8hSWBfoJPhCmDFoJZBYd1hxWJDIV8ilKMXI8wAh4BAUKEByAwAYc8fwEBAQ
X-IronPort-AV: E=Sophos;i="5.24,572,1454994000"; d="scan'208";a="281345599"
Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca)
 ([131.104.99.173])
 by esa-annu.net.uoguelph.ca with ESMTP; 03 May 2016 08:32:31 -0400
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 08FD515F565;
 Tue,  3 May 2016 08:32:31 -0400 (EDT)
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id gYFxYlKFArvy; Tue,  3 May 2016 08:32:30 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 1E03615F56E;
 Tue,  3 May 2016 08:32:30 -0400 (EDT)
X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id YS0TwwHqsQF0; Tue,  3 May 2016 08:32:30 -0400 (EDT)
Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id F2B7815F565;
 Tue,  3 May 2016 08:32:29 -0400 (EDT)
Date: Tue, 3 May 2016 08:32:29 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Julian Andrej <juan@tf.uni-kiel.de>
Cc: freebsd-fs@freebsd.org
Message-ID: <182310165.86321733.1462278749938.JavaMail.zimbra@uoguelph.ca>
In-Reply-To: <CABFzUT1Hi1yqCb_Mn4rewZurdO9WREBZ64kmNFTQFaf0PvPoVg@mail.gmail.com>
References: <CABFzUT1tn5MsDrfSYnHT+OA5o23inbtp7hSWHRw0RMzSH_6Ecw@mail.gmail.com>
 <1208197890.85963163.1462233461385.JavaMail.zimbra@uoguelph.ca>
 <CABFzUT1Hi1yqCb_Mn4rewZurdO9WREBZ64kmNFTQFaf0PvPoVg@mail.gmail.com>
Subject: Re: Mounting FreeBSD NFSv4 share on Linux using krb5
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.17.95.11]
X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF45 (Win)/8.0.9_GA_6191)
Thread-Topic: Mounting FreeBSD NFSv4 share on Linux using krb5
Thread-Index: FYhWx9+YBsbJkH4dG3HUNuqITVd9JA==
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2016 12:32:34 -0000

Julian Andrej wrote:
> Thanks. I will try your suggestions. I got the mount working adding
> "-o vers=3" to the mount. But i have not enough experience to really
> figure out if the "handshake" worked. This way i can mount the share
> AND i need a user TGT to access the mount, so i guess this i correct?
> 
That is correct. At least for the FreeBSD client (and I think the Linux one is
the same), not host-based client credential is needed for a NFSv3 kerberized mount.
(The host based credential is used for the NFSv4 state related ops and there are
 none of those for NFSv3.)
Basically if the NFSv3 mount works and a user with a valid TGT can access
their files, the krb5 stuff is working.

Normally for NFSv4 you need a user TGT as well, to access files after the
mount is done.
--> Hopefully the addition of "krb5i" will fix the NFSv4 case, since the guy
    who found this mentioned NFSv3 worked ok.

Btw, the little patch in head under r298523 might help, although the original
reporter didn't report back w.r.t. whether it helped.
http://svnweb.freebsd.org/base/head/sys/fs/nfsserver/nfs_nfsdsubs.c?r1=297793&r2=298523

> On Tue, May 3, 2016 at 1:57 AM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> > Julian Andrej wrote:
> >> Hello,
> >>
> >> i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
> >> client using sec=krb5.
> >>
> >> So my setup is as follows:
> >> FreeBSD host which is the KDC. Linux client which can auth via
> >> kerberos and should be able to mount the nfs share.
> >>
> >> Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
> >> is no problem, but it fails on the linux client. The client fails with
> >>
> >> $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
> >> mount.nfs4: timeout set for Mon May  2 15:39:19 2016
> >> mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
> >> mount.nfs4: mount(2): Input/output error
> >> mount.nfs4: mount system call failed
> >>
> >> and on the FreeBSD host i get the message
> >>
> >> gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
> > The host based credential maps to "nobody", since it isn't in
> > the passwd database. I'm not sure, but I think that is all this
> > is saying (ie. not what is causing the mount to fail).
> >
> > Someone else discovered that a Linux client actually used krb5i even
> > when krb5 was specified.
> > --> Make sure the /etc/exports on the FreeBSD server specifies
> >    sec=krb5i,krb5 (and not sec=krb5)
> >    --> This will work around this issue.
> > - If you already have both krb5,krb5i specified in your /etc/exports
> >   then I have no idea what the failure is.
> >   - A first step is capturing packets (all of them and not just the
> >     NFS ones) and then looking at them in wireshark. Hopefully that
> >     will give you some idea where it is failing.
> >
> > Good luck. It can bvery difficult to figure out what is causing the
> > failure. Linux clients have been known to work, but I have no idea if
> > all/current ones do?
> >
> > rick
> >
> >> gssd_release_name: done major=0x0 minor=0
> >> gssd_release_cred: done major=0x0 minor=0
> >>
> >> which translates to KRB5_NO_LOCALNAME. I have the appropriate
> >> principals with nfs/* for the host and client!
> >>
> >> I have tried heimdal from base and MIT krb5 from ports. Both show the
> >> same behavior.
> >>
> >> The actual kernel log from linux is:
> >> Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking
> >> unhandled error -121. Exiting with error EIO
> >>
> >> Can anyone guide me to a possible solution here?
> >>
> >> Regards
> >> Julian
> >>
>