kerberized NFS

Rick Macklem rmacklem at uoguelph.ca
Sat Jan 28 00:06:59 UTC 2012


Yuri Pankov wrote:
> On Fri, Jan 27, 2012 at 06:58:47PM +0100, Giulio Ferro wrote:
> > I'm trying to setup a kerberized NFS system made of a server and a
> > client (both freebsd 9 amd64 stable)
> >
> > I've tried to follow this howto:
> > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
> >
> > But couldn't get much out of it.
> >
> > First question : is this howto still valid or something more recent
> > should be followed? I've searched with Google but I've come up
> > empty.
> >
> > I've set up kerberos heimdal, created the dns entries for both
> > client and server, set up krb5.keytab and copied it to client, set
> > up nfs4 according to man nfsv4:
> >
> > (server)
> > cat /etc/exports
> > V4: /usr/src -sec=krb5:krb5i:krb5p
> >
> > and then tried to mount it from the client:
> >
> > mount_nfs -o ntfsv4,sec=krb5i,gssname=nfs
> > nfsinternal1.dcssrl.it:/usr/src /usr/src
> >
> > but it failed with :
> > [tcp] nfsinternal1.dcssrl.it:/usr/src: Permission denied
> >
> > Can you point me to something that I might have got wrong?
> 
> Not really related to Kerberos question, but.. Some problems here:
> - ntfsv4 - probably a typo
> - more serious one - V4: line specifies the ROOT of NFSv4 exported FS
> - nfsinternal1.dcssrl.it:/usr/src points to /usr/src/usr/src.
> 
> What you /etc/exports could look like (the way it works for me,
> doesn't
> mean that it's correct though):
> 
> /usr/src <options> <v3hosts>
> V4: / -sec=krb5:krb5i:krb5p <v4hosts>
> 
Yes. If you specify "/", then the tree starts at the root. The main
problem with doing this is that, for ZFS, you then have to export
all file systems from "/" down to where you want to mount. (Again,
these are done by export lines separate from the "V4:" line.)

If you specify:
V4: /usr/src -sec=krb5:krb5i:krb5p
/usr/src -sec=krb5:krb5i:krb5p <host(s) or subnet>

then the client mounts /usr/src via:
% mount -t nfs -o nfsv4,sec=krb5i server:/ /mntpoint

rick

> 
> Yuri


More information about the freebsd-stable mailing list