NFS + Kerberos

[Rick Macklem]

Momchil Ivanov wrote:
> At Thu, 21 Feb 2013 18:17:56 -0500 (EST),
> Rick Macklem wrote:
> > Error 10016 is NFS4ERR_WRONGSEC. This means that the server expects
> > a
> > different security flavour (sys maybe) at some point in the mount.
> 
> btw you have a typo, it's NFSERR_WRONGSEC.
Actually, it's called NFS4ERR_WRONGSEC in the RFC and NFSERR_WRONGSEC in
the NFS sources, just to try and confuse you;-)

> The problem is that I think
> it would be hard for me to find the piece of code that issues it in my
> case, so that I can understand why. Unfortunately, I am not familiar
> with NFS and the kernel internals... and since there are a number of
> places where it can be generated [1] and the machine that I am using
> as a NFS server, is rather slow in compiling world... it would be hard
> for me to instrument the code...
> 
> > I can't remember if you posted your /etc/exports file before, but
> > I suspect the file system referred by the root sepcified in the V4:
> > line isn't allowing krb5i. For example, if you wanted to mount the
> > file system rooted at /home by the above, you would need the
> > following
> > 2 lines in /etc/exports.
> >
> > /home -sec=krb5i <host-or-network>
> > V4: /home -sec=krb5i
> 
> here is my /etc/exports:
> 
> V4: /tank/storage -sec=krb5i:krb5p
> /tank/storage -sec=krb5i:krb5p
> 
Just as an experiment, you could try adding "sys" to the -sec list
for both lines. If the mount works then, it would tell you that the
client isn't successfully getting a Kerberos credential and is
falling back to using "sys" (called AUTH_SYS in the RFCs, just for
further confusion;-).

> > You can list other security flavours for -sec, but krb5i needs to be
> > one of them.
> >
> > rick
> > ps: Don't worry about the "can't update /var/db/mounttab". It is
> >     basically harmless and can be fixed by allowing the user doing
> >     the mount write access to it. If you don't do that, then the
> >     mount will still work ok, it will just generate the message.
> 
> I know this :)
> 
> btw I have Kerberos working with sshd on the same machine, so I think
> I have managed to set it up correctly... but the NFS server doesn't
> want to work with Kerberos.. the changes you suggested were in the
> right direction, since I can now see TGS-REQ lines in the KDC log, but
> there might still be some bugs here, or I am doing something wrong...
> 
> Ideas are welcomed :) I would be happy to get it working.
> 
Check to see what the user's credential cache file is called.
If you "ls -l /tmp" you should be able to find it.

If it isn't called /tmp/krb5cc_<uid>, where <uid> is the uid for
the user, then you will need the recent patch applied to the gssd.c
that adds a "-s" option to search for the credential cache file in a list of
directories. This patch is in head as r244604 and stable/9 as
r245089, but not in any release. (Some sshds generate separate
credential cache files for each login session, although not the
default one in the system, as far as I understand.)

rick

> 1: http://fxr.watson.org/fxr/ident?v=FREEBSD9;i=NFSERR_WRONGSEC
> 
> Thank you,
> Momchil