Date: Sat, 7 Sep 2013 07:50:06 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Martin Laabs <mailinglists@martinlaabs.de> Cc: freebsd-net@freebsd.org, freebsd-arm <freebsd-arm@freebsd.org> Subject: Re: nfsv4 fails with kerberos Message-ID: <955745639.19718288.1378554606139.JavaMail.root@uoguelph.ca> In-Reply-To: <522AFD9D.9010500@martinlaabs.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Martin Laabs wrote:
> Hi,
>
> I set up a nfsv4 server with kerberos but when starting the nfs
> server on
> the arm (RBI-B) board I get the following error message and the first
> (managing part) of the nfs exits:
>
> "nfsd: can't register svc name"
>
> This error message is produced by the following code in
> /usr/src/sys/fs/nfsserver/nfs_nfsdkrpc.c:
>
>
> ==================:<=======================
> /* An empty string implies AUTH_SYS only. */
> if (principal[0] != '\0') {
> ret2 = rpc_gss_set_svc_name_call(principal,
> "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER2);
> ret3 = rpc_gss_set_svc_name_call(principal,
> "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER3);
> ret4 = rpc_gss_set_svc_name_call(principal,
> "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER4);
>
> if (!ret2 || !ret3 || !ret4)
> printf("nfsd: can't register svc name\n");
> ==================:<=======================
>
> So something went wrong with the principals. Is there a way to get
> more
> information or more verbose debugging output from the nfs-server part
> of
> the kernel?
>
The above message normally indicates that the gssd daemon isn't running.
Here's a few places you can get info:
man nfsv4, gssd
http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
- This was done quite a while ago and I should ggo in and update it,
but I think it is still mostly correct for server side. (The client
in head/10 now does have "host based initiator cred" support.)
Feel free to update it. All you should need to do so is a Google
login.
You need a service principal for "nfs", which means an entry for a
principal that looks like:
nfs/<server-hostname>.<dns-domain>@<DEFAULT-REALM>
(Stuff in "<>" needs to be filled in with the answer for your machine.)
in /etc/krb5.keytab i the server.
rick
> Thank you,
> Martin Laabs
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?955745639.19718288.1378554606139.JavaMail.root>