From owner-freebsd-fs@FreeBSD.ORG Tue Feb 10 08:00:59 2015 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6161786D for ; Tue, 10 Feb 2015 08:00:59 +0000 (UTC) Received: from smarthost.TechFak.NET (smarthost.TechFak.NET [IPv6:2001:638:504:2014:ffff::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost.techfak.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E84AE252 for ; Tue, 10 Feb 2015 08:00:58 +0000 (UTC) Received: from peterfile.RBG.TechFak.NET (peterfile.RBG.TechFak.NET [IPv6:2001:638:504:20f0::60]) by smarthost.TechFak.NET (8.14.4/8.14.4) with ESMTP id t1A80sa9001622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 10 Feb 2015 09:00:54 +0100 Received: from CIT-EC.NET (localhost [127.0.0.1]) by peterfile.RBG.TechFak.NET (8.14.4/8.14.4/Debian-4) with ESMTP id t1A80smX009025 for ; Tue, 10 Feb 2015 09:00:54 +0100 Received: (from sfrey@localhost) by CIT-EC.NET (8.14.4/8.14.4/Submit) id t1A80r79009024 for freebsd-fs@freebsd.org; Tue, 10 Feb 2015 09:00:53 +0100 Date: Tue, 10 Feb 2015 09:00:53 +0100 From: Sascha Frey To: freebsd-fs@freebsd.org Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box Message-ID: <20150210080053.GA20995@TechFak.Uni-Bielefeld.DE> References: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE> <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 08:00:59 -0000 Rick Macklem wrote: [...] >> I found only one error message in /var/log/messages: >> nfsd: can't register svc name >> >Well, this message indicates it isn't going to work. >(This message means the nfsd couldn't register with the gssd daemon, > so kerberized NFS won't work.) It is generated when the nfsd is >started. > >The most common cause would be the gssd daemon not running when the >nfsd daemon is started. If the gssd was running when the nfsd was started >and this message is logged, there is a debug option on gssd that makes >it chatty and that might indicate why it is failing. gssd was running before nfsd was started. This message does not appear if nfsd starts without gssd running, but it does appear as soon as gssd is started (if nfsd is already running). I started gssd in foreground mode (via gssd -d -v) These messages appear when I start nfsd: gssd_import_name: done major=0x0 minor=0 gssd_acquire_cred: done major=0x70000 minor=0 gssd_release_name: done major=0x0 minor=0 gssd_import_name: done major=0x0 minor=0 gssd_acquire_cred: done major=0x70000 minor=0 gssd_release_name: done major=0x0 minor=0 gssd_import_name: done major=0x0 minor=0 gssd_acquire_cred: done major=0x70000 minor=0 gssd_release_name: done major=0x0 minor=0 No log output when trying to mount NFS share on the Linux machine. I tried to mount it on the server itself. I'm able to mount, but I can't access any files... [root@leonard ~]# mount -o sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt [root@leonard ~]# su - sfrey [sfrey@leonard ~]$ kinit sfrey@TECHFAK.UNI-BIELEFELD.DE's Password: [sfrey@leonard ~]$ ls -lad /mnt ls: /mnt: Permission denied [sfrey@leonard ~]$ klist Credentials cache: FILE:/tmp/krb5cc_21036 Principal: sfrey@TECHFAK.UNI-BIELEFELD.DE Issued Expires Principal Feb 10 08:54:31 2015 Feb 10 18:54:39 2015 krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE Feb 10 08:54:36 2015 Feb 10 18:54:39 2015 nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > >Also, there is this wiki. It is somewhat out of date, but I don't think >anything has changed w.r.t. the server side. (I'm not sure what the >current status is w.r.t. keytab entries encrypted in newer ways than >des-cbc-crc is.) >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup I'll take a look into it. Maybe I missed something. Cheers, Sascha