From owner-freebsd-fs@FreeBSD.ORG  Mon Feb  9 18:17:51 2015
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F2171923
 for <freebsd-fs@freebsd.org>; Mon,  9 Feb 2015 18:17:50 +0000 (UTC)
Received: from smarthost.TechFak.NET (smarthost.TechFak.NET
 [IPv6:2001:638:504:2014:ffff::4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smarthost.techfak.net",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8376590E
 for <freebsd-fs@freebsd.org>; Mon,  9 Feb 2015 18:17:50 +0000 (UTC)
Received: from peterfile.RBG.TechFak.NET (peterfile.RBG.TechFak.NET
 [IPv6:2001:638:504:20f0::60])
 by smarthost.TechFak.NET (8.14.4/8.14.4) with ESMTP id t19IHmO1028135
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <freebsd-fs@freebsd.org>; Mon, 9 Feb 2015 19:17:48 +0100
Received: from CIT-EC.NET (localhost [127.0.0.1])
 by peterfile.RBG.TechFak.NET (8.14.4/8.14.4/Debian-4) with ESMTP id
 t19IHmXL018376
 for <freebsd-fs@freebsd.org>; Mon, 9 Feb 2015 19:17:48 +0100
Received: (from sfrey@localhost)
 by CIT-EC.NET (8.14.4/8.14.4/Submit) id t19IHlGX018375
 for freebsd-fs@freebsd.org; Mon, 9 Feb 2015 19:17:47 +0100
Date: Mon, 9 Feb 2015 19:17:47 +0100
From: Sascha Frey <sf@techfak.net>
To: freebsd-fs@freebsd.org
Subject: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box
Message-ID: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 18:17:51 -0000

Hi list,

I'm trying to set up a NFS file server for our Linux clients using
FreeBSD 10.1.

Mounting the NFS filesystem exported from the FreeBSD box works well
if using sec=sys, but doesn't work with sec=krb5.

I get 'access denied' on the Linux client (tried both Debian Jessie and
Ubuntu 14.04):

root@penny:~# mount -t nfs -o vers=4,sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
mount.nfs: access denied by server while mounting leonard.fs.cit-ec.net:/export/homes/sfrey
root@penny:~# mount -t nfs -o vers=3,sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
mount.nfs: access denied by server while mounting leonard.fs.cit-ec.net:/export/homes/sfrey

Mounting kerberized NFS mounts from our other (Linux based) file servers
is possible without having any problems.

Connectivity to the KDC seems to be OK:
[root@leonard ~]# kinit -k nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
[root@leonard ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE

  Issued                Expires               Principal
Feb  9 17:51:58 2015  Feb 10 03:51:59 2015  krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE

I found only one error message in /var/log/messages:
nfsd: can't register svc name


Any idea what may be wrong?





Cheers,
Sascha



The configuration files on the server:

/etc/exports:
V4: / -sec=sys:krb5:krb5i:krb5p
/export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net

/etc/rc.conf:
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfs_server_flags="-u -t -n 6"
nfsuserd_enable="YES"
nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE"
mountd_enable="YES"
mountd_flags="-r"
gssd_enable="YES"
gssd_flags="-v"

/etc/krb5.conf:
[libdefaults]
        default_keytab_name = /etc/krb5.keytab
        default_realm = TECHFAK.UNI-BIELEFELD.DE
        allow_weak_crypto = true

[realms]
        TECHFAK.UNI-BIELEFELD.DE = {
                default_domain = techfak.uni-bielefeld.de
        }

[domain_realm]
        .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE
        techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D


/etc/krb5.keytab:
[root@leonard ~]# ktutil list
/etc/krb5.keytab:

Vno  Type           Principal                                            Aliases
  2  des-cbc-crc    nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE   
  2  des3-cbc-sha1  nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE   
  2  des-cbc-crc    host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE  
  2  des3-cbc-sha1  host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE  
  2  des-cbc-crc    root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE  
  2  des3-cbc-sha1  root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE