NFS + Kerberos

[Rick Macklem]

Momchil Ivanov wrote:
> At Thu, 21 Feb 2013 21:45:59 -0500 (EST),
> Rick Macklem wrote:
> >
> > Momchil Ivanov wrote:
> > > At Thu, 21 Feb 2013 18:17:56 -0500 (EST),
> > > Rick Macklem wrote:
> > > > Error 10016 is NFS4ERR_WRONGSEC. This means that the server
> > > > expects
> > > > a
> > > > different security flavour (sys maybe) at some point in the
> > > > mount.
> > >
> > > btw you have a typo, it's NFSERR_WRONGSEC.
> > Actually, it's called NFS4ERR_WRONGSEC in the RFC and
> > NFSERR_WRONGSEC in
> > the NFS sources, just to try and confuse you;-)
> 
> ok :)
> 
> > Just as an experiment, you could try adding "sys" to the -sec list
> > for both lines. If the mount works then, it would tell you that the
> > client isn't successfully getting a Kerberos credential and is
> > falling back to using "sys" (called AUTH_SYS in the RFCs, just for
> > further confusion;-).
> 
> I can mount with the following /etc/exports file:
> 
> V4: /tank/storage -sec=sys:krb5i:krb5p
> /tank/storage -sec=sys:krb5i:krb5p
> 
> and the command:
> 
> mount -t nfs -o nfsv4,sec=sys srv.example.local:/ /mnt/srv
> 
> and without a kerberos ticket I can also mount with:
> 
> mount -t nfs -o nfsv4,sec=krb5i srv.example.local:/ /mnt/srv
> mount -t nfs -o nfsv4,sec=krb5p srv.example.local:/ /mnt/srv
> 
> so it falls back to sys...
> 
> ...
> 
> > Check to see what the user's credential cache file is called.
> > If you "ls -l /tmp" you should be able to find it.
> >
> > If it isn't called /tmp/krb5cc_<uid>, where <uid> is the uid for
> > the user, then you will need the recent patch applied to the gssd.c
> > that adds a "-s" option to search for the credential cache file in a
> > list of
> > directories. This patch is in head as r244604 and stable/9 as
> > r245089, but not in any release. (Some sshds generate separate
> > credential cache files for each login session, although not the
> > default one in the system, as far as I understand.)
> 
> on the client machine with FreeBSD 8.2-STABLE as of around Dec 2011,
> the file exists and is /tmp/krb5cc_1001, where 1001 is the uid of the
> user that I am using to mount the nfs file system.
> 
Ok, so you don't need the "-s" option for the gssd.

> I have also tried to mount the file system from the server (FreeBSD
> 9.1) on the server itself using the same commands, I do get the
> nfs/srv.example.local at EXAMPLE.LOCAL ticket, but it dies with the same
> error:
> 
> nfsv4 err=10016
> mount_nfs: /mnt/srv, : Input/output error
> 
> is there some way I can get verbose output from nfsd or gssd that
> tells me why it is failing, or do you have any other ideas :) ?
> 
You can run "gssd -d -d" and it will run in foreground and print
out messages related to resource allocation. This isn't much use,
except to tell you that it is doing something. (Adding a "verbose"
option is on my "to do" list, but I don't have any code at this time.
If someone wants to do this, I think it would be great.)

If you do this, don't have it started at boot (gssd_enable="NO" in
/etc/rc.conf) and then do the above command as root in a window
before attempting the mount command.

Beyond that, you could add printfs to gssd.c. The main client side
function is gssd_init_sec_context(), which should get the Kerberos
ticket for a user via their TGT.

I've added Elias to the cc list, since he just went through this
and might be able to help.

rick

> Thank you,
> Momchil