Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Feb 2015 18:24:03 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Sascha Frey <sf@techfak.net>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box
Message-ID:  <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca>
In-Reply-To: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE>

next in thread | previous in thread | raw e-mail | index | archive | help
Sascha Frey wrote:
> Hi list,
> 
> I'm trying to set up a NFS file server for our Linux clients using
> FreeBSD 10.1.
> 
> Mounting the NFS filesystem exported from the FreeBSD box works well
> if using sec=sys, but doesn't work with sec=krb5.
> 
> I get 'access denied' on the Linux client (tried both Debian Jessie
> and
> Ubuntu 14.04):
> 
> root@penny:~# mount -t nfs -o vers=4,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
> root@penny:~# mount -t nfs -o vers=3,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
> 
> Mounting kerberized NFS mounts from our other (Linux based) file
> servers
> is possible without having any problems.
> 
> Connectivity to the KDC seems to be OK:
> [root@leonard ~]# kinit -k
> nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> [root@leonard ~]# klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 
>   Issued                Expires               Principal
> Feb  9 17:51:58 2015  Feb 10 03:51:59 2015
>  krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE
> 
> I found only one error message in /var/log/messages:
> nfsd: can't register svc name
> 
Well, this message indicates it isn't going to work.
(This message means the nfsd couldn't register with the gssd daemon,
 so kerberized NFS won't work.) It is generated when the nfsd is
started.

The most common cause would be the gssd daemon not running when the
nfsd daemon is started. If the gssd was running when the nfsd was started
and this message is logged, there is a debug option on gssd that makes
it chatty and that might indicate why it is failing.

Also, there is this wiki. It is somewhat out of date, but I don't think
anything has changed w.r.t. the server side. (I'm not sure what the
current status is w.r.t. keytab entries encrypted in newer ways than
des-cbc-crc is.)
https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

Good luck with it, rick

> 
> Any idea what may be wrong?
> 
> 
> 
> 
> 
> Cheers,
> Sascha
> 
> 
> 
> The configuration files on the server:
> 
> /etc/exports:
> V4: / -sec=sys:krb5:krb5i:krb5p
> /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net
> 
> /etc/rc.conf:
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfs_server_flags="-u -t -n 6"
> nfsuserd_enable="YES"
> nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE"
> mountd_enable="YES"
> mountd_flags="-r"
> gssd_enable="YES"
> gssd_flags="-v"
> 
> /etc/krb5.conf:
> [libdefaults]
>         default_keytab_name = /etc/krb5.keytab
>         default_realm = TECHFAK.UNI-BIELEFELD.DE
>         allow_weak_crypto = true
> 
> [realms]
>         TECHFAK.UNI-BIELEFELD.DE = {
>                 default_domain = techfak.uni-bielefeld.de
>         }
> 
> [domain_realm]
>         .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE
>         techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D
> 
> 
> /etc/krb5.keytab:
> [root@leonard ~]# ktutil list
> /etc/krb5.keytab:
> 
> Vno  Type           Principal
>                                            Aliases
>   2  des-cbc-crc
>      nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>   2  des3-cbc-sha1
>    nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>   2  des-cbc-crc
>      host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>   2  des3-cbc-sha1
>    host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>   2  des-cbc-crc
>      root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>   2  des3-cbc-sha1
>    root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2131985962.2999032.1423524243651.JavaMail.root>