Date: Mon, 9 Feb 2015 18:24:03 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Sascha Frey <sf@techfak.net> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box Message-ID: <2131985962.2999032.1423524243651.JavaMail.root@uoguelph.ca> In-Reply-To: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
Sascha Frey wrote: > Hi list, > > I'm trying to set up a NFS file server for our Linux clients using > FreeBSD 10.1. > > Mounting the NFS filesystem exported from the FreeBSD box works well > if using sec=sys, but doesn't work with sec=krb5. > > I get 'access denied' on the Linux client (tried both Debian Jessie > and > Ubuntu 14.04): > > root@penny:~# mount -t nfs -o vers=4,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > root@penny:~# mount -t nfs -o vers=3,sec=krb5 > leonard.fs.cit-ec.net:/export/homes/sfrey /mnt > mount.nfs: access denied by server while mounting > leonard.fs.cit-ec.net:/export/homes/sfrey > > Mounting kerberized NFS mounts from our other (Linux based) file > servers > is possible without having any problems. > > Connectivity to the KDC seems to be OK: > [root@leonard ~]# kinit -k > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > [root@leonard ~]# klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > Issued Expires Principal > Feb 9 17:51:58 2015 Feb 10 03:51:59 2015 > krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE > > I found only one error message in /var/log/messages: > nfsd: can't register svc name > Well, this message indicates it isn't going to work. (This message means the nfsd couldn't register with the gssd daemon, so kerberized NFS won't work.) It is generated when the nfsd is started. The most common cause would be the gssd daemon not running when the nfsd daemon is started. If the gssd was running when the nfsd was started and this message is logged, there is a debug option on gssd that makes it chatty and that might indicate why it is failing. Also, there is this wiki. It is somewhat out of date, but I don't think anything has changed w.r.t. the server side. (I'm not sure what the current status is w.r.t. keytab entries encrypted in newer ways than des-cbc-crc is.) https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup Good luck with it, rick > > Any idea what may be wrong? > > > > > > Cheers, > Sascha > > > > The configuration files on the server: > > /etc/exports: > V4: / -sec=sys:krb5:krb5i:krb5p > /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net > > /etc/rc.conf: > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfs_server_flags="-u -t -n 6" > nfsuserd_enable="YES" > nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE" > mountd_enable="YES" > mountd_flags="-r" > gssd_enable="YES" > gssd_flags="-v" > > /etc/krb5.conf: > [libdefaults] > default_keytab_name = /etc/krb5.keytab > default_realm = TECHFAK.UNI-BIELEFELD.DE > allow_weak_crypto = true > > [realms] > TECHFAK.UNI-BIELEFELD.DE = { > default_domain = techfak.uni-bielefeld.de > } > > [domain_realm] > .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE > techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D > > > /etc/krb5.keytab: > [root@leonard ~]# ktutil list > /etc/krb5.keytab: > > Vno Type Principal > Aliases > 2 des-cbc-crc > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des-cbc-crc > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > 2 des3-cbc-sha1 > root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2131985962.2999032.1423524243651.JavaMail.root>