From owner-freebsd-fs@FreeBSD.ORG Thu Feb 21 23:18:04 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 57307BFE for ; Thu, 21 Feb 2013 23:18:04 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 14CAA3D6 for ; Thu, 21 Feb 2013 23:18:03 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqAEANepJlGDaFvO/2dsb2JhbABFhk63bYJYgRxzgh8BAQQBIwRSBRYYAgINGQJZBogfBq0ckhKBI403NAeCLYETA4hpjU2QXoMlggk X-IronPort-AV: E=Sophos;i="4.84,711,1355115600"; d="scan'208";a="17707622" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 21 Feb 2013 18:17:56 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 9D232B3F0D; Thu, 21 Feb 2013 18:17:56 -0500 (EST) Date: Thu, 21 Feb 2013 18:17:56 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <496437657.3199038.1361488676628.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.203] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2013 23:18:04 -0000 Momchil Ivanov wrote: > On Thu, February 21, 2013 12:10 am, Rick Macklem wrote: > > I would have thought kerberos was rebuilt for make buildworld. If > > you > use heimdal from somewhere else (ports or their distro), I don't think > that needs to be rebuilt, since I don't think the ..pname_to_uid() > function is a part of a generic heimdal distribution, but I am not > sure. > > > > Be sure to change buf[128] --> buf[1024] in both: > > kerberos5/lib/libgssapi_krb5/pname_to_uid.c > > usr.sbin/gssd/gssd.c > > > > (Or paths close to that. I might not have remembered them quite > > correctly;-) > > this change allows for yet another entry in the kdc log: > > 2013-02-21T17:03:43 TGS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > nfs/srv.example.local@EXAMPLE.LOCAL > 2013-02-21T17:03:44 TGS-REQ authtime: 2013-02-21T17:02:03 starttime: > 2013-02-21T17:03:43 endtime: 2013-02-22T03:02:00 renew till: unset > 2013-02-21T17:03:44 sending 612 bytes to IPv4:X.X.X.X > > which seems promising, but I still get: > > $ mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv > mount_nfs: can't update /var/db/mounttab for srv.example.local:/ nfsv4 > err=10016 > mount_nfs: /mnt/srv, : Input/output error > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects a different security flavour (sys maybe) at some point in the mount. I can't remember if you posted your /etc/exports file before, but I suspect the file system referred by the root sepcified in the V4: line isn't allowing krb5i. For example, if you wanted to mount the file system rooted at /home by the above, you would need the following 2 lines in /etc/exports. /home -sec=krb5i V4: /home -sec=krb5i You can list other security flavours for -sec, but krb5i needs to be one of them. rick ps: Don't worry about the "can't update /var/db/mounttab". It is basically harmless and can be fixed by allowing the user doing the mount write access to it. If you don't do that, then the mount will still work ok, it will just generate the message. > do you happen to have any other ideas? > > Thank you, > Momchil