Date: Thu, 7 Feb 2013 15:05:53 +0100 From: Janusz Bulik <januszbulik@googlemail.com> To: freebsd-stable@freebsd.org Subject: NFSv4 + Kerberos permission denied Message-ID: <CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I've got a little problem with NFSv4 + Kerberos. I can do a mount with Kerberos with a valid ticket, but read-only. After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/ I can see: #klist: Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain #/var/heimdal/kdc.log: 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23 for nfs/nfsserver@my.domain tcpdump: 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec: 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011: I got "Permission denied" message when I try to mkdir or rm. As a root mount and as a user mount (sysctl vfs.usermounts=1). With -sec=sys it works read-write, but with -sec=krb5 read-only.. my /etc/exports: V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0 /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0 -maproot=root -alldirs tried with V4: / .... as well. Added all the principals needed. Tried also with full qualified domain names. SSH works fine with Kerberos Do I need rpcsec_gss.patch? (according to http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup) or can I make it work somehow else? I used FreeBSD-9.1-RELEASE-i386-disc1 and FreeBSD-10.0-CURRENT-i386-20130202-r246254-release -- Greets Janusz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ>