Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Feb 2013 15:05:53 +0100
From:      Janusz Bulik <januszbulik@googlemail.com>
To:        freebsd-stable@freebsd.org
Subject:   NFSv4 + Kerberos permission denied
Message-ID:  <CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello,
I've got a little problem with NFSv4 + Kerberos. I can do a mount with
Kerberos with a valid ticket, but read-only.
After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/
   I can see:

#klist:
Feb  6 07:22:47  Feb  6 17:22:43  nfs/nfsserver@my.domain

#/var/heimdal/kdc.log:
2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23
for nfs/nfsserver@my.domain

tcpdump:
14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec:
14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011:

I got "Permission denied" message when I try to mkdir or rm. As a root
mount and as a user mount (sysctl vfs.usermounts=1).
With -sec=sys it works read-write, but with -sec=krb5 read-only..

my /etc/exports:
V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0
/export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask
255.255.255.0 -maproot=root -alldirs

tried with V4: / .... as well.
Added all the principals needed.
Tried also with full qualified domain names.
SSH works fine with Kerberos


Do I need rpcsec_gss.patch? (according to
http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup)
or can I make it work somehow else?

I used FreeBSD-9.1-RELEASE-i386-disc1
and
FreeBSD-10.0-CURRENT-i386-20130202-r246254-release

-- 
Greets
Janusz



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ>