NFS + Kerberos

[Momchil Ivanov]

At Thu, 21 Feb 2013 18:17:56 -0500 (EST),
Rick Macklem wrote:
> Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects a
> different security flavour (sys maybe) at some point in the mount.

btw you have a typo, it's NFSERR_WRONGSEC. The problem is that I think
it would be hard for me to find the piece of code that issues it in my
case, so that I can understand why. Unfortunately, I am not familiar
with NFS and the kernel internals... and since there are a number of
places where it can be generated [1] and the machine that I am using
as a NFS server, is rather slow in compiling world... it would be hard
for me to instrument the code...

> I can't remember if you posted your /etc/exports file before, but
> I suspect the file system referred by the root sepcified in the V4:
> line isn't allowing krb5i. For example, if you wanted to mount the
> file system rooted at /home by the above, you would need the following
> 2 lines in /etc/exports.
> 
> /home -sec=krb5i <host-or-network>
> V4: /home -sec=krb5i

here is my /etc/exports:

V4: /tank/storage -sec=krb5i:krb5p
/tank/storage -sec=krb5i:krb5p

> You can list other security flavours for -sec, but krb5i needs to be
> one of them.
> 
> rick
> ps: Don't worry about the "can't update /var/db/mounttab". It is
>     basically harmless and can be fixed by allowing the user doing
>     the mount write access to it. If you don't do that, then the
>     mount will still work ok, it will just generate the message.

I know this :)

btw I have Kerberos working with sshd on the same machine, so I think
I have managed to set it up correctly... but the NFS server doesn't
want to work with Kerberos.. the changes you suggested were in the
right direction, since I can now see TGS-REQ lines in the KDC log, but
there might still be some bugs here, or I am doing something wrong...

Ideas are welcomed :) I would be happy to get it working.

1: http://fxr.watson.org/fxr/ident?v=FREEBSD9;i=NFSERR_WRONGSEC

Thank you,
Momchil