Date: Mon, 9 Feb 2015 19:17:47 +0100 From: Sascha Frey <sf@techfak.net> To: freebsd-fs@freebsd.org Subject: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box Message-ID: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE>
next in thread | raw e-mail | index | archive | help
Hi list,
I'm trying to set up a NFS file server for our Linux clients using
FreeBSD 10.1.
Mounting the NFS filesystem exported from the FreeBSD box works well
if using sec=sys, but doesn't work with sec=krb5.
I get 'access denied' on the Linux client (tried both Debian Jessie and
Ubuntu 14.04):
root@penny:~# mount -t nfs -o vers=4,sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
mount.nfs: access denied by server while mounting leonard.fs.cit-ec.net:/export/homes/sfrey
root@penny:~# mount -t nfs -o vers=3,sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
mount.nfs: access denied by server while mounting leonard.fs.cit-ec.net:/export/homes/sfrey
Mounting kerberized NFS mounts from our other (Linux based) file servers
is possible without having any problems.
Connectivity to the KDC seems to be OK:
[root@leonard ~]# kinit -k nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
[root@leonard ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
Issued Expires Principal
Feb 9 17:51:58 2015 Feb 10 03:51:59 2015 krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE
I found only one error message in /var/log/messages:
nfsd: can't register svc name
Any idea what may be wrong?
Cheers,
Sascha
The configuration files on the server:
/etc/exports:
V4: / -sec=sys:krb5:krb5i:krb5p
/export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net
/etc/rc.conf:
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfs_server_flags="-u -t -n 6"
nfsuserd_enable="YES"
nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE"
mountd_enable="YES"
mountd_flags="-r"
gssd_enable="YES"
gssd_flags="-v"
/etc/krb5.conf:
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = TECHFAK.UNI-BIELEFELD.DE
allow_weak_crypto = true
[realms]
TECHFAK.UNI-BIELEFELD.DE = {
default_domain = techfak.uni-bielefeld.de
}
[domain_realm]
.techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE
techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D
/etc/krb5.keytab:
[root@leonard ~]# ktutil list
/etc/krb5.keytab:
Vno Type Principal Aliases
2 des-cbc-crc nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
2 des3-cbc-sha1 nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
2 des-cbc-crc host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
2 des3-cbc-sha1 host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
2 des-cbc-crc root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
2 des3-cbc-sha1 root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150209181747.GB9520>