From owner-freebsd-fs@FreeBSD.ORG Mon Feb 18 23:57:00 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 71C2D275 for ; Mon, 18 Feb 2013 23:57:00 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 1C936E64 for ; Mon, 18 Feb 2013 23:56:59 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqEEANC+IlGDaFvO/2dsb2JhbABEhkm5W4Ebc4IfAQEBAwEBAQEgKyALBRYYAgINGQIpAQkmBggHBAEcBIdrBgyueJI2gSOMOhAGBIEDNAeCLYETA4hniw2COIEdjzuDJU99CBce X-IronPort-AV: E=Sophos;i="4.84,691,1355115600"; d="scan'208";a="14644626" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu.net.uoguelph.ca with ESMTP; 18 Feb 2013 18:56:58 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id F2B75B3F45; Mon, 18 Feb 2013 18:56:58 -0500 (EST) Date: Mon, 18 Feb 2013 18:56:58 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <1794994447.3103158.1361231818953.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86bobtmvb0.wl%momchil@xaxo.eu> Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 23:57:00 -0000 Monchil Ivanov wrote: > Hello, > > I have been trying to follow this guide [1] to get NFS with Kerberos > working on FreeBSD, but I have some trouble. I hope somebody has the > time and desire to help me... > > I am using FreeBSD 9.1 as NFS server with the following configuration > on the server: > > file /etc/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.LOCAL > default_etypes = des-cbc-crc > default_etypes_des = des-cbc-crc > allow_weak_crypto = true > [realms] > EXAMPLE.LOCAL = { > kdc = kerberos.example.local > admin_server = kerberos.example.local > } > [domain_realm] > .example.local = EXAMPLE.LOCAL > > file /etc/exports: > > V4: / -sec=krb5i:krb5p > /tank/storage -sec=krb5i:krb5p > > file /etc/rc.conf: > > ## nfsv4 > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfsuserd_enable="YES" > mountd_enable="YES" > mountd_flags="-r -n" > > # for kerberos > gssd_enable="YES" > > kerberos seems to be working: > > root@srv:/root # kinit -k nfs/srv.example.local > root@srv:/root # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: nfs/srv.example.local@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:04:02 Feb 3 07:04:02 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > root@srv:/root # kdestroy > root@srv:/root # ktutil list > FILE:/etc/krb5.keytab: > > Vno Type Principal > 1 des-cbc-crc nfs/srv.example.local@EXAMPLE.LOCAL > > krb4:/etc/srvtab: > > Vno Type Principal > > the client is FreeBSD 8.2 with the following configuration: > > file /etc/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.LOCAL > default_etypes = des-cbc-crc > default_etypes_des = des-cbc-crc > allow_weak_crypto = true > [realms] > EXAMPLE.LOCAL = { > kdc = kerberos.example.local > admin_server = kerberos.example.local > } > [domain_realm] > .example.local = EXAMPLE.LOCAL > > file /etc/rc.conf: > > ## NFS v4 > nfsuserd_enable="YES" > nfscbd_enable="YES" > # kerberos > gssd_enable="YES" > > file /etc/sysctl.conf: > # Allow normal users to mount filesystems. > vfs.usermount=1 > > here is the output from the client: > > $ klist > klist: No ticket file: /tmp/krb5cc_1001 > > $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage > nfsv4 err=10016 > mount_nfs: /mnt/srv, : Input/output error > > then I do: > > $ kinit user > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: user@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage > nfsv4 err=10016 > mount_nfs: /mnt/srv, : Input/output error > > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: user@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > Feb 2 21:15:43 Feb 3 07:15:33 nfs/srv.example.local@EXAMPLE.LOCAL > > Note: the mount works without Kerberos if I add "sys" to the "sec" > option on both lines of /etc/exports, ownership works too, therefore I > think that nfsv4 works, nfsv3 works too. However I have no idea why > they don't work with Kerberos. > > Note: With and without a kerberos ticket, the result when using nfsv3 > is: > > $ mount -t nfs -o nfsv3,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage > > $ ls /mnt/srv > ls: /mnt/srv: Permission denied > > Is there an easy way to get it working? Am I doing something wrong? > Thanks to Elias's hard work, a bug/fix has just been isolated in the Kerberos library that causes the gssd to fail to translate a principal to a uid. The fix is to increase the size of the buffer passed to getpwnam_r(). See this thread: http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw I haven't run into this bug, so I don't know what systems are affected, but it would explain why you can't get it working. I'd suggest you apply the patch in the email (increase buf to 1024) and then try again with libraries built with the patch. rick > PS: Please CC me, since I am not subscribed. > > 1: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > Regards, > Momchil > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"