From owner-freebsd-fs@FreeBSD.ORG Mon Feb 9 23:30:04 2015 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F334AAD for ; Mon, 9 Feb 2015 23:30:04 +0000 (UTC) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id A353ED8 for ; Mon, 9 Feb 2015 23:30:04 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2BGBQCmQdlU/95baINcg1haBIJ+v3IKhSdKAoFgAQEBAQEBfIQNAQEEAQEBICsgCxsOCgICDRkCKQEJJgYIBwQBHASIDA21e5ZRAQEBAQEBBAEBAQEBAQEBGoEhjgYBARs0B4JogUIFhVOEVIhEgz2DNzaNZIM+IoQMIDEBBoEEOX4BAQE X-IronPort-AV: E=Sophos;i="5.09,546,1418101200"; d="scan'208";a="189879418" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 09 Feb 2015 18:29:59 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id DB213B3F07; Mon, 9 Feb 2015 18:29:57 -0500 (EST) Date: Mon, 9 Feb 2015 18:29:57 -0500 (EST) From: Rick Macklem To: Sascha Frey Message-ID: <1722953463.3002240.1423524597892.JavaMail.root@uoguelph.ca> In-Reply-To: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE> Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.12] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 23:30:05 -0000 Sascha Frey wrote: > Hi list, > > I'm trying to set up a NFS file server for our Linux clients using > FreeBSD 10.1. > > Mounting the NFS filesystem exported from the FreeBSD box works well > if using sec=sys, but doesn't work with sec=krb5. > > I get 'access denied' on the Linux client (tried both Debian Jessie > and > Ubuntu 14.04): > > root@penny:~# mount -t nfs -o vers=4,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > root@penny:~# mount -t nfs -o vers=3,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > > Mounting kerberized NFS mounts from our other (Linux based) file > servers > is possible without having any problems. > > Connectivity to the KDC seems to be OK: > [root@leonard ~]# kinit -k > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > [root@leonard ~]# klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > Issued Expires Principal > Feb 9 17:51:58 2015 Feb 10 03:51:59 2015 > krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > > I found only one error message in /var/log/messages: > nfsd: can't register svc name > > > Any idea what may be wrong? > Oh, and a couple more things... FreeBSD only supports RPCSEC_GSS_VERSION1. This should be sufficient, since it is what is required by the NFSv4 RFC. However, I wouldn't be surprised if recent Linux clients decide it isn't good enough for them. (Hopefully if this is the case, there is a way to tell Linux to use version 1.) If none of the suggestions helps, I'd suggest you capture packets via something like: # tcpdump -s 0 -w krbmnt.pcap host running while a mount attempt is done. You can then look at krbmnt.pcap in wireshark to see what is going on the wire. Also, take a look at your KDC logs. That might indicate a problem with encryption type used or similar. It has been tested against Linux and Solaris clients, but not for a couple of years. Again, good luck with it, rick > > > > > Cheers, > Sascha > > > > The configuration files on the server: > > /etc/exports: > V4: / -sec=sys:krb5:krb5i:krb5p > /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net > > /etc/rc.conf: > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfs_server_flags="-u -t -n 6" > nfsuserd_enable="YES" > nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE" > mountd_enable="YES" > mountd_flags="-r" > gssd_enable="YES" > gssd_flags="-v" > > /etc/krb5.conf: > [libdefaults] > default_keytab_name = /etc/krb5.keytab > default_realm = TECHFAK.UNI-BIELEFELD.DE > allow_weak_crypto = true > > [realms] > TECHFAK.UNI-BIELEFELD.DE = { > default_domain = techfak.uni-bielefeld.de > } > > [domain_realm] > .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE > techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D > > > /etc/krb5.keytab: > [root@leonard ~]# ktutil list > /etc/krb5.keytab: > > Vno Type Principal > Aliases > 2 des-cbc-crc > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >