Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mounting FreeBSD NFSv4 share on Linux using krb5
100 views
Skip to first unread message
Julian Andrej
May 2, 2016, 9:51:26 AM5/2/16
to
Hello,
i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
client using sec=krb5.
So my setup is as follows:
FreeBSD host which is the KDC. Linux client which can auth via
kerberos and should be able to mount the nfs share.
Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
is no problem, but it fails on the linux client. The client fails with
$ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
mount.nfs4: timeout set for Mon May 2 15:39:19 2016
mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
mount.nfs4: mount(2): Input/output error
mount.nfs4: mount system call failed
and on the FreeBSD host i get the message
gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
gssd_release_name: done major=0x0 minor=0
gssd_release_cred: done major=0x0 minor=0
which translates to KRB5_NO_LOCALNAME. I have the appropriate
principals with nfs/* for the host and client!
I have tried heimdal from base and MIT krb5 from ports. Both show the
same behavior.
The actual kernel log from linux is:
Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking
unhandled error -121. Exiting with error EIO
Can anyone guide me to a possible solution here?
Regards
Julian
_______________________________________________
freeb...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "freebsd-fs-...@freebsd.org"
i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
client using sec=krb5.
So my setup is as follows:
FreeBSD host which is the KDC. Linux client which can auth via
kerberos and should be able to mount the nfs share.
Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
is no problem, but it fails on the linux client. The client fails with
$ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
mount.nfs4: timeout set for Mon May 2 15:39:19 2016
mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
mount.nfs4: mount(2): Input/output error
mount.nfs4: mount system call failed
and on the FreeBSD host i get the message
gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
gssd_release_name: done major=0x0 minor=0
gssd_release_cred: done major=0x0 minor=0
which translates to KRB5_NO_LOCALNAME. I have the appropriate
principals with nfs/* for the host and client!
I have tried heimdal from base and MIT krb5 from ports. Both show the
same behavior.
The actual kernel log from linux is:
Mai 02 15:37:19 *** kernel: NFS: nfs4_discover_server_trunking
unhandled error -121. Exiting with error EIO
Can anyone guide me to a possible solution here?
Regards
Julian
_______________________________________________
freeb...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "freebsd-fs-...@freebsd.org"
Rick Macklem
May 2, 2016, 7:58:05 PM5/2/16
to
Julian Andrej wrote:
> Hello,
>
> i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
> client using sec=krb5.
>
> So my setup is as follows:
> FreeBSD host which is the KDC. Linux client which can auth via
> kerberos and should be able to mount the nfs share.
>
> Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
> is no problem, but it fails on the linux client. The client fails with
>
> $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
> mount.nfs4: timeout set for Mon May 2 15:39:19 2016
> mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
> mount.nfs4: mount(2): Input/output error
> mount.nfs4: mount system call failed
>
> and on the FreeBSD host i get the message
>
> gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
The host based credential maps to "nobody", since it isn't in
> Hello,
>
> i'm desperately trying to mount a nfsv4 export from FreeBSD on a Linux
> client using sec=krb5.
>
> So my setup is as follows:
> FreeBSD host which is the KDC. Linux client which can auth via
> kerberos and should be able to mount the nfs share.
>
> Mounting the share with sec=krb5 from FreeBSD on another FreeBSD box
> is no problem, but it fails on the linux client. The client fails with
>
> $ sudo mount -t nfs4 -o sec=krb5 ***:/tank/homes mnt -vv
> mount.nfs4: timeout set for Mon May 2 15:39:19 2016
> mount.nfs4: trying text-based options 'sec=krb5,addr=***,clientaddr=***'
> mount.nfs4: mount(2): Input/output error
> mount.nfs4: mount system call failed
>
> and on the FreeBSD host i get the message
>
> gssd_pname_to_uid: failed major=0xd0000 minor=-1765328227
the passwd database. I'm not sure, but I think that is all this
is saying (ie. not what is causing the mount to fail).
Someone else discovered that a Linux client actually used krb5i even
when krb5 was specified.
--> Make sure the /etc/exports on the FreeBSD server specifies
sec=krb5i,krb5 (and not sec=krb5)
--> This will work around this issue.
- If you already have both krb5,krb5i specified in your /etc/exports
then I have no idea what the failure is.
- A first step is capturing packets (all of them and not just the
NFS ones) and then looking at them in wireshark. Hopefully that
will give you some idea where it is failing.
Good luck. It can bvery difficult to figure out what is causing the
failure. Linux clients have been known to work, but I have no idea if
all/current ones do?
rick
Julian Andrej
May 3, 2016, 2:27:51 AM5/3/16
to
Thanks. I will try your suggestions. I got the mount working adding
"-o vers=3" to the mount. But i have not enough experience to really
figure out if the "handshake" worked. This way i can mount the share
AND i need a user TGT to access the mount, so i guess this i correct?
"-o vers=3" to the mount. But i have not enough experience to really
figure out if the "handshake" worked. This way i can mount the share
AND i need a user TGT to access the mount, so i guess this i correct?
Rick Macklem
May 3, 2016, 8:32:55 AM5/3/16
to
Julian Andrej wrote:
> Thanks. I will try your suggestions. I got the mount working adding
> "-o vers=3" to the mount. But i have not enough experience to really
> figure out if the "handshake" worked. This way i can mount the share
> AND i need a user TGT to access the mount, so i guess this i correct?
>
That is correct. At least for the FreeBSD client (and I think the Linux one is
> Thanks. I will try your suggestions. I got the mount working adding
> "-o vers=3" to the mount. But i have not enough experience to really
> figure out if the "handshake" worked. This way i can mount the share
> AND i need a user TGT to access the mount, so i guess this i correct?
>
the same), not host-based client credential is needed for a NFSv3 kerberized mount.
(The host based credential is used for the NFSv4 state related ops and there are
none of those for NFSv3.)
Basically if the NFSv3 mount works and a user with a valid TGT can access
their files, the krb5 stuff is working.
Normally for NFSv4 you need a user TGT as well, to access files after the
mount is done.
--> Hopefully the addition of "krb5i" will fix the NFSv4 case, since the guy
who found this mentioned NFSv3 worked ok.
Btw, the little patch in head under r298523 might help, although the original
reporter didn't report back w.r.t. whether it helped.
http://svnweb.freebsd.org/base/head/sys/fs/nfsserver/nfs_nfsdsubs.c?r1=297793&r2=298523
0 new messages