Date: Sat, 28 Jan 2012 10:54:55 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Giulio Ferro <auryn@zirakzigil.org> Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: kerberized NFS Message-ID: <1721865563.311886.1327766095191.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <4F23AC5A.3080308@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Giulio Ferro wrote:
> I forgot to mentioned that I compiled both servers with
> option KGSSAPI and device crypto, and I enabled gssd
> on both.
>
> Is there anyone who was able to configure this setup?
>
I had a server at the nfsv4 testing event last June and it
worked ok. I haven't tried one since then.
Step 1: make sure that nfsv4 mounts work over auth_sys.
(You'll need to add "sys" to the sec= flavours, so your
/etc/exports will look something like:
V4: /usr/src -sec=sys:krb5:krb5i:krb5p
/usr/src -sec=sys:krb5:krb5i:krb5p <client host or subnet>
Then on the client:
# mount -t nfs -o nfsv4 <server>:/ /<mntpath>
(Where "<" and ">" indicate "replace this with what yours".)
- Then cd /<mntpath> and do an "ls -l" to see that the file
ownership looks ok. If it doesn't, it will be related to
"nfsuserd", which must be running in both client and server.
Once, Step 1 looks fine:
Step 2: Check that Kerberos is working ok in the server.
- Log into the server as root and do the following:
# kinit -k nfs/<server-host.domain>@<YOUR.REALM>
- This should work ok.
# klist
- This should list a TGT for nfs/<server-host.domain>@<YOUR.REALM>
If this doesn't work, something isn't right in the Kerberos setup
on the server. The NFS server (not client) must have a /etc/krb5.keytab
file with an entry for:
nfs/<server-host.domain>@<YOUR.REALM>
in it. You should create it on your KDC with encryption type
DES-CBC_CRC initially
and you should specify that as your default enctype in your /etc/krb5.conf.
Once that is working, make sure all the daemons are running on the server.
mountd, nfsd, nfsuserd and gssd
If this all looks good, go to the client:
# sysctl vfs.usermount=1
- make sure these daemons are running
nfsuserd, gssd
- Log in as non-root user:
% kinit
% klist
- there should be a TGT for the user you are logged in as
- Now, try a kerberos mount, as follows:
% mount -t nfs -o nfsv4,sec=krb5 <server>:/ /<mntpath>
- if that works
% cd /<mntpath>
% ls -l
If these last steps fail, it is not easy to figure out why.
(Look in /var/log/messages for any errors. If you get what
the gssd calls an minor status, that is the kerberos error.)
rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1721865563.311886.1327766095191.JavaMail.root>