Date: Thu, 21 Feb 2013 21:45:59 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Momchil Ivanov <momchil@xaxo.eu> Cc: freebsd-fs@freebsd.org Subject: Re: NFS + Kerberos Message-ID: <1845485841.3202259.1361501159585.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86ip5lkvnm.wl%momchil@xaxo.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Momchil Ivanov wrote: > At Thu, 21 Feb 2013 18:17:56 -0500 (EST), > Rick Macklem wrote: > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects > > a > > different security flavour (sys maybe) at some point in the mount. > > btw you have a typo, it's NFSERR_WRONGSEC. Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in the NFS sources, just to try and confuse you;-) > The problem is that I think > it would be hard for me to find the piece of code that issues it in my > case, so that I can understand why. Unfortunately, I am not familiar > with NFS and the kernel internals... and since there are a number of > places where it can be generated [1] and the machine that I am using > as a NFS server, is rather slow in compiling world... it would be hard > for me to instrument the code... > > > I can't remember if you posted your /etc/exports file before, but > > I suspect the file system referred by the root sepcified in the V4: > > line isn't allowing krb5i. For example, if you wanted to mount the > > file system rooted at /home by the above, you would need the > > following > > 2 lines in /etc/exports. > > > > /home -sec=krb5i <host-or-network> > > V4: /home -sec=krb5i > > here is my /etc/exports: > > V4: /tank/storage -sec=krb5i:krb5p > /tank/storage -sec=krb5i:krb5p > Just as an experiment, you could try adding "sys" to the -sec list for both lines. If the mount works then, it would tell you that the client isn't successfully getting a Kerberos credential and is falling back to using "sys" (called AUTH_SYS in the RFCs, just for further confusion;-). > > You can list other security flavours for -sec, but krb5i needs to be > > one of them. > > > > rick > > ps: Don't worry about the "can't update /var/db/mounttab". It is > > basically harmless and can be fixed by allowing the user doing > > the mount write access to it. If you don't do that, then the > > mount will still work ok, it will just generate the message. > > I know this :) > > btw I have Kerberos working with sshd on the same machine, so I think > I have managed to set it up correctly... but the NFS server doesn't > want to work with Kerberos.. the changes you suggested were in the > right direction, since I can now see TGS-REQ lines in the KDC log, but > there might still be some bugs here, or I am doing something wrong... > > Ideas are welcomed :) I would be happy to get it working. > Check to see what the user's credential cache file is called. If you "ls -l /tmp" you should be able to find it. If it isn't called /tmp/krb5cc_<uid>, where <uid> is the uid for the user, then you will need the recent patch applied to the gssd.c that adds a "-s" option to search for the credential cache file in a list of directories. This patch is in head as r244604 and stable/9 as r245089, but not in any release. (Some sshds generate separate credential cache files for each login session, although not the default one in the system, as far as I understand.) rick > 1: http://fxr.watson.org/fxr/ident?v=FREEBSD9;i=NFSERR_WRONGSEC > > Thank you, > Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1845485841.3202259.1361501159585.JavaMail.root>