From owner-freebsd-fs@FreeBSD.ORG Sat Feb 9 16:02:29 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 44FFF971 for ; Sat, 9 Feb 2013 16:02:29 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id D5BF8F7 for ; Sat, 9 Feb 2013 16:02:28 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqAEAOpxFlGDaFvO/2dsb2JhbABEhk66bHOCHwEBAQMBAQEBICsgCwUWGAICDRkCKQEJJgYIBwQBHASHagYMrHySH4EjjC4GBIMcgRMDiGaLC4IzgR2PNoMkgUkIFx4 X-IronPort-AV: E=Sophos;i="4.84,634,1355115600"; d="scan'208";a="13227191" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu.net.uoguelph.ca with ESMTP; 09 Feb 2013 11:02:21 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 7CDFFB3F4A; Sat, 9 Feb 2013 11:02:21 -0500 (EST) Date: Sat, 9 Feb 2013 11:02:21 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <843900310.2847717.1360425741450.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86bobtmvb0.wl%momchil@xaxo.eu> Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2013 16:02:29 -0000 Monchil Ivanov wrote: > Hello, > > I have been trying to follow this guide [1] to get NFS with Kerberos > working on FreeBSD, but I have some trouble. I hope somebody has the > time and desire to help me... > > I am using FreeBSD 9.1 as NFS server with the following configuration > on the server: > > file /etc/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.LOCAL > default_etypes = des-cbc-crc > default_etypes_des = des-cbc-crc > allow_weak_crypto = true > [realms] > EXAMPLE.LOCAL = { > kdc = kerberos.example.local > admin_server = kerberos.example.local > } > [domain_realm] > .example.local = EXAMPLE.LOCAL > > file /etc/exports: > > V4: / -sec=krb5i:krb5p > /tank/storage -sec=krb5i:krb5p > For ZFS every ZFS volume below the "V4: " normally needs to be exported. Below you mention that the NFSv4 mount worked for -sec=sys, but I don't know how it would. Assuming /tank is ZFS (if it's UFS, just ignore this;-), I'd suggest changing the line to: V4: /tank/storage -sec=krb5i,krb5p (You then need to use srv.example.local:/ as your mount point for the mount command for NFSv4.) > file /etc/rc.conf: > > ## nfsv4 > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfsuserd_enable="YES" > mountd_enable="YES" > mountd_flags="-r -n" > > # for kerberos > gssd_enable="YES" > > kerberos seems to be working: > > root@srv:/root # kinit -k nfs/srv.example.local > root@srv:/root # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: nfs/srv.example.local@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:04:02 Feb 3 07:04:02 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > root@srv:/root # kdestroy > root@srv:/root # ktutil list > FILE:/etc/krb5.keytab: > > Vno Type Principal > 1 des-cbc-crc nfs/srv.example.local@EXAMPLE.LOCAL > > krb4:/etc/srvtab: > > Vno Type Principal > > the client is FreeBSD 8.2 with the following configuration: > > file /etc/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.LOCAL > default_etypes = des-cbc-crc > default_etypes_des = des-cbc-crc > allow_weak_crypto = true > [realms] > EXAMPLE.LOCAL = { > kdc = kerberos.example.local > admin_server = kerberos.example.local > } > [domain_realm] > .example.local = EXAMPLE.LOCAL > > file /etc/rc.conf: > > ## NFS v4 > nfsuserd_enable="YES" > nfscbd_enable="YES" > # kerberos > gssd_enable="YES" > > file /etc/sysctl.conf: > # Allow normal users to mount filesystems. > vfs.usermount=1 > > here is the output from the client: > > $ klist > klist: No ticket file: /tmp/krb5cc_1001 > > $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage > nfsv4 err=10016 > mount_nfs: /mnt/srv, : Input/output error > Yep, I would expect this to fail. > then I do: > > $ kinit user > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: user@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > $ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage This error message happens because the non-root user doesn`t have write access mounttab. You can fix the problem by opening up permissions on it, but it does not really matter. The contents of mounttab is for information only and does not affect the mount. > nfsv4 err=10016 > mount_nfs: /mnt/srv, : Input/output error > Not sure why this fails. Might have been the issue I mentioned above. I`d suggest you try again with the above V4: line modified and the mount looking like: $ mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv (I also strongly recommend against using `soft` for NFSv4 mounts, but that shouldn`t cause this to fail.) 10016 is NFS4ERR_WRONGSEC, so it didn`t like you using Kerberos. I suspect that would be somewhere higher up in the path. > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: user@EXAMPLE.LOCAL > > Issued Expires Principal > Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > Feb 2 21:15:43 Feb 3 07:15:33 nfs/srv.example.local@EXAMPLE.LOCAL > > Note: the mount works without Kerberos if I add "sys" to the "sec" > option on both lines of /etc/exports, ownership works too, therefore I > think that nfsv4 works, nfsv3 works too. However I have no idea why > they don't work with Kerberos. > I was never sure it was the correct thing to do, but the original author coded it so that it would fall back to -sec=sys when Kerberos failed. That would explain why it succeeds for this case. > Note: With and without a kerberos ticket, the result when using nfsv3 > is: > > $ mount -t nfs -o nfsv3,soft,sec=krb5i srv.example.local:/tank/storage > /mnt/srv > mount_nfs: can't update /var/db/mounttab for > srv.example.local:/tank/storage > > $ ls /mnt/srv > ls: /mnt/srv: Permission denied I have never tried a non-root NFSv3 Kerberos mount. Normally, the above mount would be done by root and then accessed by the non-root user. (NFSv3 has no state-related operations, so the mount can be done by root, since it does not need kerberos authentication.) I cannot think of why a non-root mount would not work, but since I have never done it, I would suggest you try doing this mount as root and see if it makes any difference. In general, the cause of these failures can be difficult to figure out, since it can fail in so many ways. Looking at the log file for the KDC can sometimes help. Or, capturing packets and looking at them in wireshark (which understands NFSv4 and RPCSEC_GSS) will give you some idea where it breaks. Good luck with it, rick > > Is there an easy way to get it working? Am I doing something wrong? > > PS: Please CC me, since I am not subscribed. > > 1: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > Regards, > Momchil > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"