Unable to mount kerberized NFS share on Linux from FreeBSD 10.1 box
Rick Macklem
rmacklem at uoguelph.ca
Mon Feb 9 23:24:11 UTC 2015
Sascha Frey wrote:
> Hi list,
>
> I'm trying to set up a NFS file server for our Linux clients using
> FreeBSD 10.1.
>
> Mounting the NFS filesystem exported from the FreeBSD box works well
> if using sec=sys, but doesn't work with sec=krb5.
>
> I get 'access denied' on the Linux client (tried both Debian Jessie
> and
> Ubuntu 14.04):
>
> root at penny:~# mount -t nfs -o vers=4,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
> root at penny:~# mount -t nfs -o vers=3,sec=krb5
> leonard.fs.cit-ec.net:/export/homes/sfrey /mnt
> mount.nfs: access denied by server while mounting
> leonard.fs.cit-ec.net:/export/homes/sfrey
>
> Mounting kerberized NFS mounts from our other (Linux based) file
> servers
> is possible without having any problems.
>
> Connectivity to the KDC seems to be OK:
> [root at leonard ~]# kinit -k
> nfs/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> [root at leonard ~]# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: nfs/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
>
> Issued Expires Principal
> Feb 9 17:51:58 2015 Feb 10 03:51:59 2015
> krbtgt/TECHFAK.UNI-BIELEFELD.DE at TECHFAK.UNI-BIELEFELD.DE
>
> I found only one error message in /var/log/messages:
> nfsd: can't register svc name
>
Well, this message indicates it isn't going to work.
(This message means the nfsd couldn't register with the gssd daemon,
so kerberized NFS won't work.) It is generated when the nfsd is
started.
The most common cause would be the gssd daemon not running when the
nfsd daemon is started. If the gssd was running when the nfsd was started
and this message is logged, there is a debug option on gssd that makes
it chatty and that might indicate why it is failing.
Also, there is this wiki. It is somewhat out of date, but I don't think
anything has changed w.r.t. the server side. (I'm not sure what the
current status is w.r.t. keytab entries encrypted in newer ways than
des-cbc-crc is.)
https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
Good luck with it, rick
>
> Any idea what may be wrong?
>
>
>
>
>
> Cheers,
> Sascha
>
>
>
> The configuration files on the server:
>
> /etc/exports:
> V4: / -sec=sys:krb5:krb5i:krb5p
> /export/homes/sfrey -sec=sys:krb5 penny.fs.cit-ec.net
>
> /etc/rc.conf:
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfs_server_flags="-u -t -n 6"
> nfsuserd_enable="YES"
> nfsuserd_flags="-domain TechFak.Uni-Bielefeld.DE"
> mountd_enable="YES"
> mountd_flags="-r"
> gssd_enable="YES"
> gssd_flags="-v"
>
> /etc/krb5.conf:
> [libdefaults]
> default_keytab_name = /etc/krb5.keytab
> default_realm = TECHFAK.UNI-BIELEFELD.DE
> allow_weak_crypto = true
>
> [realms]
> TECHFAK.UNI-BIELEFELD.DE = {
> default_domain = techfak.uni-bielefeld.de
> }
>
> [domain_realm]
> .techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.DE
> techfak.uni-bielefeld.de = TECHFAK.UNI-BIELEFELD.D
>
>
> /etc/krb5.keytab:
> [root at leonard ~]# ktutil list
> /etc/krb5.keytab:
>
> Vno Type Principal
> Aliases
> 2 des-cbc-crc
> nfs/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> nfs/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> 2 des-cbc-crc
> host/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> host/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> 2 des-cbc-crc
> root/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
> 2 des3-cbc-sha1
> root/leonard.fs.cit-ec.net at TECHFAK.UNI-BIELEFELD.DE
>
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>
More information about the freebsd-fs
mailing list