mountd segfaults in NFSv4 if -alldirs is present in exports

Rick Macklem rmacklem at uoguelph.ca
Fri Feb 19 21:35:51 UTC 2010 


On Fri, 19 Feb 2010, George Mamalakis wrote:

>
> question 1)
>
> I want to export my /export directory with -sec=krb5 to my clients, and the 
> configuration of my server and client is respectively as follows:
>
> - server:
> /etc/exports:
> V4: / -sec=krb5
> /export

You need "-sec=krb5" on the /export line as well. For example:
V4: / -sec=krb5
/export -sec=krb5

>
> /etc/rc.conf
> rpcbind_enable="YES"
> mountd_flags="-e"
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfsuserd_enable="YES"
> gssd_enable="YES"
>
> KERNEL:
> options         NFSD
> options         KGSSAPI
> device          crypto
>
> -client:
> rc.conf:
> gssd_enable="YES"
> nfsuserd_enable="YES"
> nfsclient_enable="YES"
> rpcbind_enable="YES"
> nfs_client_flags="-n 4"
> rpc_statd_enable="YES"
> rpc_lockd_enable="YES"
>
> KERNEL:
> options         KGSSAPI
> device          crypto
>

all the above looks ok, at a glance.

> As I said, heimdal seems to work fine, all keytabs are where they should be, 
> and I don't know how to mount the partition to my client. When I run:
>
> [root at fbsdclient ~]# mount_newnfs -onfsv4,sec=krb5 filesrv.ee.auth.gr:/export 
> /mnt
> nfsv4 err=10016
> mount_newnfs: /mnt, : Input/output error
>

Unless you have applied the experimental patch that allows host based
client side credentials, mounting as root isn't going to work.
Have you looked at:
 	http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

You basically have to do the mount as a non-root user after that user
has acquired a valid TGT.

> An I/O error I receive if I use opensolaris as a client. The kdc.log shows 
> that the clients request the nfs server's ticket (2010-02-19T19:56:29 TGS-REQ 
> mamalos at EE.AUTH.GR from IPv4:192.168.100.11 for 
> nfs/filesrv.ee.auth.gr at EE.AUTH.GR), so things should be working that far, but 
> then they refuse to mount the partition.
>
> If I export the partition with sec=sys and try to mount it with sec=sys, it 
> works fine.
>

On the server, do you have a keytab entry for
    nfs/filesrv.ee.auth.gr at EE.AUTH.GR
in its default keytab file (/etc/krb5.keytab) with encryption type
des-crc-cbc?

> question 2)
> At the end of nfsv4(4) man page (in the BUGS session) it states:
>
> "At this time, there is no recall of delegations for local file system
> operations.  As such, delegations should only be enabled for file systems
> that are being used soley as NFS export volumes and are not being
> accessed via local system calls nor services such as Samba."
>
> Does this mean that if I manage to export my /home filesystem eventually, and 
> my mailserver copies the emails to my users' maildirs (located in their home 
> folder), or through another nfs mount, or a user is connected to his/her 
> account both through nfsv4 and samba, then there will be a serious problem?
>

Potential problem if you enable delegations. I think they're disabled by
default. (do a "sysctl -a | grep newnfs" and look at them)

> Should I setup the nfs server in solaris and use bsd/linux nfs4 clients 
> instead, to be sure that I will have no corrupted filesystems, etc? Have you 
> tried mounting solaris-nfsv4 exported filesystems with the fbsd nfsclient and 
> sec>=krb5?
>
I do quite a bit of testing against Solaris10, so I wouldn't expect a
problem if you use a Solaris server and fbsd8 client.

Good luck with it, rick

More information about the freebsd-stable mailing list