Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box

Benjamin Kaduk kaduk at MIT.EDU
Tue Feb 10 19:32:09 UTC 2015 

On Tue, 10 Feb 2015, Sascha Frey wrote:

> Rick Macklem wrote:
>
> [...]
> >> I found only one error message in /var/log/messages:
> >> nfsd: can't register svc name
> >>
> >Well, this message indicates it isn't going to work.
> >(This message means the nfsd couldn't register with the gssd daemon,
> > so kerberized NFS won't work.) It is generated when the nfsd is
> >started.
> >
> >The most common cause would be the gssd daemon not running when the
> >nfsd daemon is started. If the gssd was running when the nfsd was started
> >and this message is logged, there is a debug option on gssd that makes
> >it chatty and that might indicate why it is failing.
>
> gssd was running before nfsd was started.
> This message does not appear if nfsd starts without gssd running,
> but it does appear as soon as gssd is started (if nfsd is already running).
>
> I started gssd in foreground mode (via gssd -d -v)
> These messages appear when I start nfsd:
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0
> gssd_import_name: done major=0x0 minor=0
> gssd_acquire_cred: done major=0x70000 minor=0
> gssd_release_name: done major=0x0 minor=0

0x70000 is GSS_S_NO_CRED.

Maybe you could truss or similar to find out what name it's trying to
acquire credentials for?

-Ben

> No log output when trying to mount NFS share on the Linux machine.
>
>
> I tried to mount it on the server itself. I'm able
> to mount, but I can't access any files...
>
> [root at leonard ~]# mount -o sec=krb5 leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> [root at leonard ~]# su - sfrey
> [sfrey at leonard ~]$ kinit
> sfrey at TECHFAK.UNI-BIELEFELD.DE's Password:
> [sfrey at leonard ~]$ ls -lad /mnt
> ls: /mnt: Permission denied
> [sfrey at leonard ~]$ klist
> Credentials cache: FILE:/tmp/krb5cc_21036
>         Principal: sfrey at TECHFAK.UNI-BIELEFELD.DE
>
>   Issued                Expires               Principal
> Feb 10 08:54:31 2015  Feb 10 18:54:39 2015  krbtgt/TECHFAK.UNI-BIELEFELD.DE at TECHFAK.UNI-BIELEFELD.DE
> Feb 10 08:54:36 2015  Feb 10 18:54:39 2015  nfs/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
>
> >
> >Also, there is this wiki. It is somewhat out of date, but I don't think
> >anything has changed w.r.t. the server side. (I'm not sure what the
> >current status is w.r.t. keytab entries encrypted in newer ways than
> >des-cbc-crc is.)
> >https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
>
> I'll take a look into it. Maybe I missed something.
>
>
>
>
> Cheers,
> Sascha
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>

More information about the freebsd-fs mailing list