From owner-freebsd-stable@FreeBSD.ORG Thu Feb 7 14:05:54 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EE2873FC for ; Thu, 7 Feb 2013 14:05:54 +0000 (UTC) (envelope-from januszbulik@googlemail.com) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) by mx1.freebsd.org (Postfix) with ESMTP id 65A7E29 for ; Thu, 7 Feb 2013 14:05:54 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id 16so2045214wgi.27 for ; Thu, 07 Feb 2013 06:05:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=GAAPYVn/K8gThhYj72tPbgPH/f6/Gd+hO4dw1+wPeLw=; b=qfwUedDvfvDI+Z3RmYnF/jkpyjhNGrmwJBNxZNXsEarh+G/sBkDj6Xrd/9xs60BYca Nn4GR6ApobBdJghz3HjtjqVC2TnpHqOiMFwqUvCa4PbinDQ40Uj4ZOfuwj2Rdv6/Y05Z JzylRnGTQzBM3t7WaaIvHB9cw/8Ysgau5h7vvk2epmOOlkI57e7b9jdU1Q6Z3EshKTyy FyuEJ4TSsW3qoftVyqzx6QNRvTEGQGxypEtIM2KfNCNZrEPMm1VH+U1UPI7y6ZFKMxjg ctnuqaOWcCpSGBri78Yfhzh/hBzd81Rt8vf66Bj7TvP2edDp/iwVO6/+3EdXVWX0vx/b vY9Q== MIME-Version: 1.0 X-Received: by 10.180.92.100 with SMTP id cl4mr11994971wib.24.1360245953280; Thu, 07 Feb 2013 06:05:53 -0800 (PST) Received: by 10.180.126.97 with HTTP; Thu, 7 Feb 2013 06:05:53 -0800 (PST) Date: Thu, 7 Feb 2013 15:05:53 +0100 Message-ID: Subject: NFSv4 + Kerberos permission denied From: Janusz Bulik To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2013 14:05:55 -0000 Hello, I've got a little problem with NFSv4 + Kerberos. I can do a mount with Kerberos with a valid ticket, but read-only. After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/ I can see: #klist: Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain #/var/heimdal/kdc.log: 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23 for nfs/nfsserver@my.domain tcpdump: 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec: 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011: I got "Permission denied" message when I try to mkdir or rm. As a root mount and as a user mount (sysctl vfs.usermounts=1). With -sec=sys it works read-write, but with -sec=krb5 read-only.. my /etc/exports: V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0 /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask 255.255.255.0 -maproot=root -alldirs tried with V4: / .... as well. Added all the principals needed. Tried also with full qualified domain names. SSH works fine with Kerberos Do I need rpcsec_gss.patch? (according to http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup) or can I make it work somehow else? I used FreeBSD-9.1-RELEASE-i386-disc1 and FreeBSD-10.0-CURRENT-i386-20130202-r246254-release -- Greets Janusz