On Fri, 19 Feb 2010, George Mamalakis wrote:
question 1)
I want to export my /export directory with -sec=krb5 to my clients, and the
configuration of my server and client is respectively as follows:
- server:
/etc/exports:
V4: / -sec=krb5
/export
You need "-sec=krb5" on the /export line as well. For example:
V4: / -sec=krb5
/export -sec=krb5
/etc/rc.conf
rpcbind_enable="YES"
mountd_flags="-e"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
gssd_enable="YES"
KERNEL:
options NFSD
options KGSSAPI
device crypto
-client:
rc.conf:
gssd_enable="YES"
nfsuserd_enable="YES"
nfsclient_enable="YES"
rpcbind_enable="YES"
nfs_client_flags="-n 4"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"
KERNEL:
options KGSSAPI
device crypto
all the above looks ok, at a glance.
As I said, heimdal seems to work fine, all keytabs are where they should be,
and I don't know how to mount the partition to my client. When I run:
[r...@fbsdclient ~]# mount_newnfs -onfsv4,sec=krb5 filesrv.ee.auth.gr:/export
/mnt
nfsv4 err=10016
mount_newnfs: /mnt, : Input/output error
Unless you have applied the experimental patch that allows host based
client side credentials, mounting as root isn't going to work.
Have you looked at:
http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
You basically have to do the mount as a non-root user after that user
has acquired a valid TGT.
An I/O error I receive if I use opensolaris as a client. The kdc.log shows
that the clients request the nfs server's ticket (2010-02-19T19:56:29 TGS-REQ
mama...@ee.auth.gr from IPv4:192.168.100.11 for
nfs/filesrv.ee.auth...@ee.auth.gr), so things should be working that far, but
then they refuse to mount the partition.
If I export the partition with sec=sys and try to mount it with sec=sys, it
works fine.
On the server, do you have a keytab entry for
nfs/filesrv.ee.auth...@ee.auth.gr
in its default keytab file (/etc/krb5.keytab) with encryption type
des-crc-cbc?
question 2)
At the end of nfsv4(4) man page (in the BUGS session) it states:
"At this time, there is no recall of delegations for local file system
operations. As such, delegations should only be enabled for file systems
that are being used soley as NFS export volumes and are not being
accessed via local system calls nor services such as Samba."
Does this mean that if I manage to export my /home filesystem eventually, and
my mailserver copies the emails to my users' maildirs (located in their home
folder), or through another nfs mount, or a user is connected to his/her
account both through nfsv4 and samba, then there will be a serious problem?
Potential problem if you enable delegations. I think they're disabled by
default. (do a "sysctl -a | grep newnfs" and look at them)
Should I setup the nfs server in solaris and use bsd/linux nfs4 clients
instead, to be sure that I will have no corrupted filesystems, etc? Have you
tried mounting solaris-nfsv4 exported filesystems with the fbsd nfsclient and
sec>=krb5?
I do quite a bit of testing against Solaris10, so I wouldn't expect a
problem if you use a Solaris server and fbsd8 client.
Good luck with it, rick
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"