I ended up making it work. Here are my notes:
• Error messages on mount have nothing to do with the cause.
• By default they use a user port to communicate with the server. If
you have "insecure" on the server, that's fine. If not, add resvport to the
mount options.
• If things fail, it may take a couple of minutes before a retry might
work. Also, after a umount, immediate attempt to mount will fail, with obscure
error messages about RPC service not found.
• You will need valid /etc/krb5.conf and /etc/krb5.keytab.
• As a user, kinit so you have a valid credential cache. I used
default_cc_name = /tmp/krb5cc_%{uid}, so my credentials went into a /tmp file.
I don't know how many different locations their NFS server checks. I only tried
that one location. It appears that some user must be kinit’ed for the mount to
work, though the mount is done by sudo, so it’s root.
• Here's a v4 mount: mount -t nfs -o vers=4,sec=krb5
c217-nfs.cs.rutgers.edu:/home /mnt. With Linux, the client finds out from the
server that it needs to use Kerberos, and it mounts with the highest available
version. Mac doesn't seem to do that, so I specify vers= and sec=
• For V4 to work, idmapping must be working. To set it up, you must
tell the system your Kerberos domain, "dscl . -create Config/NFSv4Domain
RealName CS.RUTGERS.EDU"
• You can specify v3, obviously. Kerberized V3 works. With V3 your uids
and gids need to be synchronized with the server. At least the ones you care
about, which is probably just your own user.
• Root was able to access my files. It seems to have used my user
credentials. On Linux root accesses are done as root, and typically that
results in a permission failure.
• Failures aren't necessarily on the Mac side. I had a failure with a
Centos file server which turned out to be on the Linux end. I had to restart
the Linux system. I beieve the issue was the spotlight was trying to index the
drive, and the Kerberos ticket had expired. (That’s not confirmed, but there
are a couple of pieces of evidence suggesting Spotlight. I’m surprised, since
Spotlight doesn’t actually seem to work on NFS.) The server should just give an
error, but it seems to have run out of file descriptors. The issue did not
occur with a Centos 6 server mounted with version 3.
Now on to Windows ...
> On Feb 24, 2017, at 1:26 PM, Charles Hedrick <[email protected]> wrote:
>
> The server seems to think the mount was OK, but the client says permission
> denied, and the log shows
> 2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
