NFS + Kerberos

Momchil Ivanov momchil at xaxo.eu
Fri Feb 22 18:43:51 UTC 2013 

At Thu, 21 Feb 2013 21:45:59 -0500 (EST),
Rick Macklem wrote:
> 
> Momchil Ivanov wrote:
> > At Thu, 21 Feb 2013 18:17:56 -0500 (EST),
> > Rick Macklem wrote:
> > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects
> > > a
> > > different security flavour (sys maybe) at some point in the mount.
> > 
> > btw you have a typo, it's NFSERR_WRONGSEC.
> Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in
> the NFS sources, just to try and confuse you;-)

ok :)

> Just as an experiment, you could try adding "sys" to the -sec list
> for both lines. If the mount works then, it would tell you that the
> client isn't successfully getting a Kerberos credential and is
> falling back to using "sys" (called AUTH_SYS in the RFCs, just for
> further confusion;-).

I can mount with the following /etc/exports file:

V4: /tank/storage -sec=sys:krb5i:krb5p
/tank/storage -sec=sys:krb5i:krb5p

and the command:

mount -t nfs -o nfsv4,sec=sys srv.example.local:/ /mnt/srv

and without a kerberos ticket I can also mount with:

mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv
mount -t nfs -o nfsv4,sec=krb5p srv.example.local:/ /mnt/srv

so it falls back to sys...

...

> Check to see what the user's credential cache file is called.
> If you "ls -l /tmp" you should be able to find it.
> 
> If it isn't called /tmp/krb5cc_<uid>, where <uid> is the uid for
> the user, then you will need the recent patch applied to the gssd.c
> that adds a "-s" option to search for the credential cache file in a list of
> directories. This patch is in head as r244604 and stable/9 as
> r245089, but not in any release. (Some sshds generate separate
> credential cache files for each login session, although not the
> default one in the system, as far as I understand.)

on the client machine with FreeBSD 8.2-STABLE as of around Dec 2011,
the file exists and is /tmp/krb5cc_1001, where 1001 is the uid of the
user that I am using to mount the nfs file system.

I have also tried to mount the file system from the server (FreeBSD
9.1) on the server itself using the same commands, I do get the
nfs/srv.example.local at EXAMPLE.LOCAL ticket, but it dies with the same
error:

nfsv4 err=10016
mount_nfs: /mnt/srv, : Input/output error

is there some way I can get verbose output from nfsd or gssd that
tells me why it is failing, or do you have any other ideas :) ?

Thank you,
Momchil

More information about the freebsd-fs mailing list