From owner-freebsd-net@FreeBSD.ORG Sat Jan 28 15:54:56 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93D831065672; Sat, 28 Jan 2012 15:54:56 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 32CCA8FC08; Sat, 28 Jan 2012 15:54:56 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap4EAMcYJE+DaFvO/2dsb2JhbABDhQuqU4FyAQEFI1YbDgoCAg0ZAlkGrzaRKYEvhw0BBQMcBAELAQgBBgQDAwQQFYJmBQMDAQIHAxUBBQsHAgGBGwmCHoEWBIg/jFuSbw X-IronPort-AV: E=Sophos;i="4.71,585,1320642000"; d="scan'208";a="154113025" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 28 Jan 2012 10:54:55 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 3BE97B3F22; Sat, 28 Jan 2012 10:54:55 -0500 (EST) Date: Sat, 28 Jan 2012 10:54:55 -0500 (EST) From: Rick Macklem To: Giulio Ferro Message-ID: <1721865563.311886.1327766095191.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <4F23AC5A.3080308@zirakzigil.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: kerberized NFS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2012 15:54:56 -0000 Giulio Ferro wrote: > I forgot to mentioned that I compiled both servers with > option KGSSAPI and device crypto, and I enabled gssd > on both. > > Is there anyone who was able to configure this setup? > I had a server at the nfsv4 testing event last June and it worked ok. I haven't tried one since then. Step 1: make sure that nfsv4 mounts work over auth_sys. (You'll need to add "sys" to the sec= flavours, so your /etc/exports will look something like: V4: /usr/src -sec=sys:krb5:krb5i:krb5p /usr/src -sec=sys:krb5:krb5i:krb5p Then on the client: # mount -t nfs -o nfsv4 :/ / (Where "<" and ">" indicate "replace this with what yours".) - Then cd / and do an "ls -l" to see that the file ownership looks ok. If it doesn't, it will be related to "nfsuserd", which must be running in both client and server. Once, Step 1 looks fine: Step 2: Check that Kerberos is working ok in the server. - Log into the server as root and do the following: # kinit -k nfs/@ - This should work ok. # klist - This should list a TGT for nfs/@ If this doesn't work, something isn't right in the Kerberos setup on the server. The NFS server (not client) must have a /etc/krb5.keytab file with an entry for: nfs/@ in it. You should create it on your KDC with encryption type DES-CBC_CRC initially and you should specify that as your default enctype in your /etc/krb5.conf. Once that is working, make sure all the daemons are running on the server. mountd, nfsd, nfsuserd and gssd If this all looks good, go to the client: # sysctl vfs.usermount=1 - make sure these daemons are running nfsuserd, gssd - Log in as non-root user: % kinit % klist - there should be a TGT for the user you are logged in as - Now, try a kerberos mount, as follows: % mount -t nfs -o nfsv4,sec=krb5 :/ / - if that works % cd / % ls -l If these last steps fail, it is not easy to figure out why. (Look in /var/log/messages for any errors. If you get what the gssd calls an minor status, that is the kerberos error.) rick