Date: Mon, 9 Feb 2015 18:29:57 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Sascha Frey <sf@techfak.net> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box Message-ID: <1722953463.3002240.1423524597892.JavaMail.root@uoguelph.ca> In-Reply-To: <20150209181747.GB9520@TechFak.Uni-Bielefeld.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
Sascha Frey wrote:
> Hi list,
>
> I'm trying to set up a NFS file server for our Linux clients using
> FreeBSD 10.1.
>
> Mounting the NFS filesystem exported from the FreeBSD box works well
> if using sec=sys, but doesn't work with sec=krb5.
>
> I get 'access denied' on the Linux client (tried both Debian Jessie
> and
> Ubuntu 14.04):
>
> root@penny:~# mount -t nfs -o vers=4,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
> root@penny:~# mount -t nfs -o vers=3,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
>
> Mounting kerberized NFS mounts from our other (Linux based) file
> servers
> is possible without having any problems.
>
> Connectivity to the KDC seems to be OK:
> [root@leonard ~]# kinit -k
> nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> [root@leonard ~]# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>
> Issued Expires Principal
> Feb 9 17:51:58 2015 Feb 10 03:51:59 2015
> krbtgt/TECHFAK.UNI-BIELEFELD.DE@TECHFAK.UNI-BIELEFELD.DE
>
> I found only one error message in /var/log/messages:
> nfsd: can't register svc name
>
>
> Any idea what may be wrong?
>
Oh, and a couple more things...
FreeBSD only supports RPCSEC_GSS_VERSION1. This should be sufficient,
since it is what is required by the NFSv4 RFC. However, I wouldn't be
surprised if recent Linux clients decide it isn't good enough for them.
(Hopefully if this is the case, there is a way to tell Linux to use
version 1.)
If none of the suggestions helps, I'd suggest you capture packets via
something like:
# tcpdump -s 0 -w krbmnt.pcap host <client-host>
running while a mount attempt is done.
You can then look at krbmnt.pcap in wireshark to see what is going
on the wire.
Also, take a look at your KDC logs. That might indicate a problem
with encryption type used or similar.
It has been tested against Linux and Solaris clients, but not for a
couple of years.
Again, good luck with it, rick
>
>
>
>
> Cheers,
> Sascha
>
>
>
> The configuration files on the server:
>
> /etc/exports:
> V4: / -sec=sys:krb5:krb5i:krb5p
> /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net
>
> /etc/rc.conf:
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfs_server_flags="-u -t -n 6"
> nfsuserd_enable="YES"
> nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE"
> mountd_enable="YES"
> mountd_flags="-r"
> gssd_enable="YES"
> gssd_flags="-v"
>
> /etc/krb5.conf:
> [libdefaults]
> default_keytab_name = /etc/krb5.keytab
> default_realm = TECHFAK.UNI-BIELEFELD.DE
> allow_weak_crypto = true
>
> [realms]
> TECHFAK.UNI-BIELEFELD.DE = {
> default_domain = techfak.uni-bielefeld.de
> }
>
> [domain_realm]
> .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE
> techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D
>
>
> /etc/krb5.keytab:
> [root@leonard ~]# ktutil list
> /etc/krb5.keytab:
>
> Vno Type Principal
> Aliases
> 2 des-cbc-crc
> nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> nfs/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 2 des-cbc-crc
> host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> host/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 2 des-cbc-crc
> root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> root/leonard.fs.cit-ec.net@TECHFAK.UNI-BIELEFELD.DE
>
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1722953463.3002240.1423524597892.JavaMail.root>