From owner-freebsd-fs@FreeBSD.ORG  Sat Feb  9 14:19:22 2013
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 6EF1DFD5
 for <freebsd-fs@freebsd.org>; Sat,  9 Feb 2013 14:19:22 +0000 (UTC)
 (envelope-from momchil@xaxo.eu)
Received: from vps2.xaxo.eu (vps2.xaxo.eu [78.47.156.66])
 by mx1.freebsd.org (Postfix) with ESMTP id F1E4CCCD
 for <freebsd-fs@freebsd.org>; Sat,  9 Feb 2013 14:19:21 +0000 (UTC)
Received: from t61.xaxo.eu ([10.75.23.6])
 by vps2.xaxo.eu (8.14.4/8.14.4) with ESMTP id r19EBOcr020531;
 Sat, 9 Feb 2013 15:11:24 +0100 (CET) (envelope-from momchil@xaxo.eu)
Date: Sat, 09 Feb 2013 15:11:15 +0100
Message-ID: <86bobtmvb0.wl%momchil@xaxo.eu>
From: Momchil Ivanov <momchil@xaxo.eu>
To: freebsd-fs@freebsd.org
Subject: NFS + Kerberos
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2013 14:19:22 -0000

Hello,

I have been trying to follow this guide [1] to get NFS with Kerberos
working on FreeBSD, but I have some trouble. I hope somebody has the
time and desire to help me...

I am using FreeBSD 9.1 as NFS server with the following configuration
on the server:

file /etc/krb5.conf:

    [libdefaults]
        default_realm = EXAMPLE.LOCAL
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc
        allow_weak_crypto = true
    [realms]
        EXAMPLE.LOCAL = {
            kdc = kerberos.example.local
            admin_server = kerberos.example.local
        }
    [domain_realm]
        .example.local = EXAMPLE.LOCAL
    
file /etc/exports:

    V4: / -sec=krb5i:krb5p
    /tank/storage -sec=krb5i:krb5p

file /etc/rc.conf:

    ## nfsv4
    nfs_server_enable="YES"
    nfsv4_server_enable="YES"
    nfsuserd_enable="YES"
    mountd_enable="YES"
    mountd_flags="-r -n"
    
    # for kerberos
    gssd_enable="YES"

kerberos seems to be working:

    root@srv:/root # kinit -k nfs/srv.example.local
    root@srv:/root # klist
    Credentials cache: FILE:/tmp/krb5cc_0
            Principal: nfs/srv.example.local@EXAMPLE.LOCAL
    
      Issued           Expires          Principal
    Feb  2 21:04:02  Feb  3 07:04:02  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
    root@srv:/root # kdestroy
    root@srv:/root # ktutil list
    FILE:/etc/krb5.keytab:
    
    Vno  Type         Principal
      1  des-cbc-crc  nfs/srv.example.local@EXAMPLE.LOCAL
    
    krb4:/etc/srvtab:
    
    Vno  Type  Principal
    
the client is FreeBSD 8.2 with the following configuration:

file /etc/krb5.conf:

    [libdefaults]
        default_realm = EXAMPLE.LOCAL
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc
        allow_weak_crypto = true
    [realms]
        EXAMPLE.LOCAL = {
            kdc = kerberos.example.local
            admin_server = kerberos.example.local
        }
    [domain_realm]
        .example.local = EXAMPLE.LOCAL
    
file /etc/rc.conf:

    ## NFS v4
    nfsuserd_enable="YES"
    nfscbd_enable="YES"
    # kerberos
    gssd_enable="YES"

file /etc/sysctl.conf:
    # Allow normal users to mount filesystems.
    vfs.usermount=1

here is the output from the client:

    $ klist
    klist: No ticket file: /tmp/krb5cc_1001

    $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
    mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage
    nfsv4 err=10016
    mount_nfs: /mnt/srv, : Input/output error

then I do:

    $ kinit user
    $ klist
    Credentials cache: FILE:/tmp/krb5cc_1001
            Principal: user@EXAMPLE.LOCAL
    
      Issued           Expires          Principal
    Feb  2 21:15:36  Feb  3 07:15:33  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL

    $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
    mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage
    nfsv4 err=10016
    mount_nfs: /mnt/srv, : Input/output error

    $ klist
    Credentials cache: FILE:/tmp/krb5cc_1001
            Principal: user@EXAMPLE.LOCAL
    
      Issued           Expires          Principal
    Feb  2 21:15:36  Feb  3 07:15:33  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
    Feb  2 21:15:43  Feb  3 07:15:33  nfs/srv.example.local@EXAMPLE.LOCAL

Note: the mount works without Kerberos if I add "sys" to the "sec"
option on both lines of /etc/exports, ownership works too, therefore I
think that nfsv4 works, nfsv3 works too. However I have no idea why
they don't work with Kerberos.

Note: With and without a kerberos ticket, the result when using nfsv3
is:

    $ mount -t nfs -o nfsv3,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
    mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage

    $ ls /mnt/srv
    ls: /mnt/srv: Permission denied

Is there an easy way to get it working? Am I doing something wrong?

PS: Please CC me, since I am not subscribed.

1: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

Regards,
Momchil