Date: Sat, 09 Feb 2013 15:11:15 +0100 From: Momchil Ivanov <momchil@xaxo.eu> To: freebsd-fs@freebsd.org Subject: NFS + Kerberos Message-ID: <86bobtmvb0.wl%momchil@xaxo.eu>
next in thread | raw e-mail | index | archive | help
Hello,
I have been trying to follow this guide [1] to get NFS with Kerberos
working on FreeBSD, but I have some trouble. I hope somebody has the
time and desire to help me...
I am using FreeBSD 9.1 as NFS server with the following configuration
on the server:
file /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.LOCAL
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
allow_weak_crypto = true
[realms]
EXAMPLE.LOCAL = {
kdc = kerberos.example.local
admin_server = kerberos.example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
file /etc/exports:
V4: / -sec=krb5i:krb5p
/tank/storage -sec=krb5i:krb5p
file /etc/rc.conf:
## nfsv4
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
mountd_enable="YES"
mountd_flags="-r -n"
# for kerberos
gssd_enable="YES"
kerberos seems to be working:
root@srv:/root # kinit -k nfs/srv.example.local
root@srv:/root # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: nfs/srv.example.local@EXAMPLE.LOCAL
Issued Expires Principal
Feb 2 21:04:02 Feb 3 07:04:02 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
root@srv:/root # kdestroy
root@srv:/root # ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-crc nfs/srv.example.local@EXAMPLE.LOCAL
krb4:/etc/srvtab:
Vno Type Principal
the client is FreeBSD 8.2 with the following configuration:
file /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.LOCAL
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
allow_weak_crypto = true
[realms]
EXAMPLE.LOCAL = {
kdc = kerberos.example.local
admin_server = kerberos.example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
file /etc/rc.conf:
## NFS v4
nfsuserd_enable="YES"
nfscbd_enable="YES"
# kerberos
gssd_enable="YES"
file /etc/sysctl.conf:
# Allow normal users to mount filesystems.
vfs.usermount=1
here is the output from the client:
$ klist
klist: No ticket file: /tmp/krb5cc_1001
$ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage
nfsv4 err=10016
mount_nfs: /mnt/srv, : Input/output error
then I do:
$ kinit user
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user@EXAMPLE.LOCAL
Issued Expires Principal
Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
$ mount -t nfs -o nfsv4,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage
nfsv4 err=10016
mount_nfs: /mnt/srv, : Input/output error
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user@EXAMPLE.LOCAL
Issued Expires Principal
Feb 2 21:15:36 Feb 3 07:15:33 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
Feb 2 21:15:43 Feb 3 07:15:33 nfs/srv.example.local@EXAMPLE.LOCAL
Note: the mount works without Kerberos if I add "sys" to the "sec"
option on both lines of /etc/exports, ownership works too, therefore I
think that nfsv4 works, nfsv3 works too. However I have no idea why
they don't work with Kerberos.
Note: With and without a kerberos ticket, the result when using nfsv3
is:
$ mount -t nfs -o nfsv3,soft,sec=krb5i srv.example.local:/tank/storage /mnt/srv
mount_nfs: can't update /var/db/mounttab for srv.example.local:/tank/storage
$ ls /mnt/srv
ls: /mnt/srv: Permission denied
Is there an easy way to get it working? Am I doing something wrong?
PS: Please CC me, since I am not subscribed.
1: http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
Regards,
Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bobtmvb0.wl%momchil>