From owner-freebsd-fs@FreeBSD.ORG Mon Feb 9 23:24:11 2015 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4B727CA4 for ; Mon, 9 Feb 2015 23:24:11 +0000 (UTC) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 0ED6074 for ; Mon, 9 Feb 2015 23:24:10 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2BGBQDvQNlU/95baINcg1haBIJ+v3IKhSdKAoFfAQEBAQEBfIQMAQEBAwEBAQEgKyALGw4KAgINGQIpAQkmBggHBAEcBIgECA21fZZPAQEBAQEBAQECAQEBAQEBAQEBARiBIY4GAQEbNAeCaIFCBYoniESDPYNtkSIihAwgMQEGgQQ5fgEBAQ X-IronPort-AV: E=Sophos;i="5.09,546,1418101200"; d="scan'208";a="191641829" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-annu.net.uoguelph.ca with ESMTP; 09 Feb 2015 18:24:03 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id A3A7DB3FE0; Mon, 9 Feb 2015 18:24:03 -0500 (EST) Date: Mon, 9 Feb 2015 18:24:03 -0500 (EST) From: Rick Macklem To: Sascha Frey Message-ID: <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> In-Reply-To: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE> Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.10] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 23:24:11 -0000 Sascha Frey wrote: > Hi list, > > I'm trying to set up a NFS file server for our Linux clients using > FreeBSD 10.1. > > Mounting the NFS filesystem exported from the FreeBSD box works well > if using sec=sys, but doesn't work with sec=krb5. > > I get 'access denied' on the Linux client (tried both Debian Jessie > and > Ubuntu 14.04): > > root@penny:~# mount -t nfs -o vers=4,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > root@penny:~# mount -t nfs -o vers=3,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > > Mounting kerberized NFS mounts from our other (Linux based) file > servers > is possible without having any problems. > > Connectivity to the KDC seems to be OK: > [root@leonard ~]# kinit -k > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > [root@leonard ~]# klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > Issued Expires Principal > Feb 9 17:51:58 2015 Feb 10 03:51:59 2015 > krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > > I found only one error message in /var/log/messages: > nfsd: can't register svc name > Well, this message indicates it isn't going to work. (This message means the nfsd couldn't register with the gssd daemon, so kerberized NFS won't work.) It is generated when the nfsd is started. The most common cause would be the gssd daemon not running when the nfsd daemon is started. If the gssd was running when the nfsd was started and this message is logged, there is a debug option on gssd that makes it chatty and that might indicate why it is failing. Also, there is this wiki. It is somewhat out of date, but I don't think anything has changed w.r.t. the server side. (I'm not sure what the current status is w.r.t. keytab entries encrypted in newer ways than des-cbc-crc is.) https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup Good luck with it, rick > > Any idea what may be wrong? > > > > > > Cheers, > Sascha > > > > The configuration files on the server: > > /etc/exports: > V4: / -sec=sys:krb5:krb5i:krb5p > /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net > > /etc/rc.conf: > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfs_server_flags="-u -t -n 6" > nfsuserd_enable="YES" > nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE" > mountd_enable="YES" > mountd_flags="-r" > gssd_enable="YES" > gssd_flags="-v" > > /etc/krb5.conf: > [libdefaults] > default_keytab_name = /etc/krb5.keytab > default_realm = TECHFAK.UNI-BIELEFELD.DE > allow_weak_crypto = true > > [realms] > TECHFAK.UNI-BIELEFELD.DE = { > default_domain = techfak.uni-bielefeld.de > } > > [domain_realm] > .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE > techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D > > > /etc/krb5.keytab: > [root@leonard ~]# ktutil list > /etc/krb5.keytab: > > Vno Type Principal > Aliases > 2 des-cbc-crc > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >