From owner-freebsd-net@FreeBSD.ORG Fri Jan 27 23:52:26 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99FBB106564A for ; Fri, 27 Jan 2012 23:52:26 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 37A128FC0C for ; Fri, 27 Jan 2012 23:52:25 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EAIs3I0+DaFvO/2dsb2JhbABEhQuqUIFyAQEBAwEBAQEgKyALBRYOCgICDRkCKQEJJgYIBwQBHASHWwimNpFbgS+CUIURAQUDHAQBCwEIAQYEAwMEEIJ7BQMDAQIHAxUBBQsHAgGBGwkGghiBFgSIP4o0gieSaw X-IronPort-AV: E=Sophos;i="4.71,583,1320642000"; d="scan'208";a="157159609" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 27 Jan 2012 18:52:24 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id C9274B3EB2; Fri, 27 Jan 2012 18:52:24 -0500 (EST) Date: Fri, 27 Jan 2012 18:52:24 -0500 (EST) From: Rick Macklem To: Giulio Ferro Message-ID: <1755360318.299423.1327708344781.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <4F22E5D7.4000707@zirakzigil.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: kerberized NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 23:52:26 -0000 Giulio Ferro wrote: > I'm trying to setup a kerberized NFS system made of a server and a > client (both freebsd 9 amd64 stable) > > I've tried to follow this howto: > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > But couldn't get much out of it. > > First question : is this howto still valid or something more recent > should be followed? I've searched with Google but I've come up empty. > It's all there is. I don't think anything has changed since it was written. (I haven't had a kerberos setup for about 2 years, so I know I haven't changed anything recently.) It was a google wiki, since I hoped others would add to it, but I don't think that has happened? > I've set up kerberos heimdal, created the dns entries for both > client and server, set up krb5.keytab and copied it to client, set > up nfs4 according to man nfsv4: > > (server) > cat /etc/exports > V4: /usr/src -sec=krb5:krb5i:krb5p > The V4: line doesn't export any file system. It only defines where the root of the directory tree is for NFSv4 and what authentication can be used for "system operations" which do not take any file handle and, therefore, aren't tied to any server file system. For example, the above would need to be something like: V4: /usr/src -sec=krb5:krb5i:krb5p /usr/src -sec=krb5:krb5i:krb5p - If /usr/src is not the root of a file system on the server, it is less confusing to export the root of the file system, such as "/usr" or "/". > and then tried to mount it from the client: > > mount_nfs -o ntfsv4,sec=krb5i,gssname=nfs > nfsinternal1.dcssrl.it:/usr/src /usr/src > To make the "gssname" case work, you need a couple of things: - You need the patch it refers to applied to the client's kernel, so it can handle "host based initiator credentials". After applying the patch, you also need to have an entry in the client's /etc/keytab that looks like: nfs/client-host.dnsdomain@YOUR.REALM Without the above, the client can only do an NFSv4 mount as a user (not root) that has a valid credential. For example: - non-root mounts enabled via # sysctl vfs.usermount=1 - then a user logs in - gets a kerberos TGT via "kinit" - then does a mount command that looks like: % mount -t nfs -o nfsv4,sec=krb5i :/path - this mount breaks if this user's TGT expires, so it either must be maintained via some utility (there are a couple out there, but I can't remember the name of one offhand) or manually by doing "kinit" again before it expires - this user must umount the file system when done with it (I know, it would be nice if the host based initiator cred. worked, "out of the box", but the patch is ugly and the reviewer understandably didn't agree with it. However, I don't know how to do it another way for the version of Heimdal in FreeBSD. There is a bug that has apparently been fixed for newer Heimdal releases, where it gets confused w.r.t. encryption type for the keytab entry unless it is forced to one encryption type only.) Also, you need the following in the server's /etc/rc.conf: nfsv4_server_enable="YES" gssd_enable="YES" and in the client: nfsuserd_enable="YES" gssd_enable="YES" Finally, I'd suggest that you get NFSv4 mounts over "sys" working first and then you can try Kerberos. > but it failed with : > [tcp] nfsinternal1.dcssrl.it:/usr/src: Permission denied > > Can you point me to something that I might have got wrong? > > Thanks in advance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"