Date: Thu, 21 Feb 2013 18:17:56 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Momchil Ivanov <momchil@xaxo.eu> Cc: freebsd-fs@freebsd.org Subject: Re: NFS + Kerberos Message-ID: <496437657.3199038.1361488676628.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <d112e84c5a294f5e009e8eac4eb0cf19.squirrel@webmail.xaxo.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Momchil Ivanov wrote:
> On Thu, February 21, 2013 12:10 am, Rick Macklem wrote:
> > I would have thought kerberos was rebuilt for make buildworld. If
> > you
> use heimdal from somewhere else (ports or their distro), I don't think
> that needs to be rebuilt, since I don't think the ..pname_to_uid()
> function is a part of a generic heimdal distribution, but I am not
> sure.
> >
> > Be sure to change buf[128] --> buf[1024] in both:
> > kerberos5/lib/libgssapi_krb5/pname_to_uid.c
> > usr.sbin/gssd/gssd.c
> >
> > (Or paths close to that. I might not have remembered them quite
> > correctly;-)
>
> this change allows for yet another entry in the kdc log:
>
> 2013-02-21T17:03:43 TGS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for
> nfs/srv.example.local@EXAMPLE.LOCAL
> 2013-02-21T17:03:44 TGS-REQ authtime: 2013-02-21T17:02:03 starttime:
> 2013-02-21T17:03:43 endtime: 2013-02-22T03:02:00 renew till: unset
> 2013-02-21T17:03:44 sending 612 bytes to IPv4:X.X.X.X
>
> which seems promising, but I still get:
>
> $ mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv
> mount_nfs: can't update /var/db/mounttab for srv.example.local:/ nfsv4
> err=10016
> mount_nfs: /mnt/srv, : Input/output error
>
Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects a
different security flavour (sys maybe) at some point in the mount.
I can't remember if you posted your /etc/exports file before, but
I suspect the file system referred by the root sepcified in the V4:
line isn't allowing krb5i. For example, if you wanted to mount the
file system rooted at /home by the above, you would need the following
2 lines in /etc/exports.
/home -sec=krb5i <host-or-network>
V4: /home -sec=krb5i
You can list other security flavours for -sec, but krb5i needs to be
one of them.
rick
ps: Don't worry about the "can't update /var/db/mounttab". It is
basically harmless and can be fixed by allowing the user doing
the mount write access to it. If you don't do that, then the
mount will still work ok, it will just generate the message.
> do you happen to have any other ideas?
>
> Thank you,
> Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?496437657.3199038.1361488676628.JavaMail.root>