Has anyone got a good reference for how to set up krb5p security? I've got NFSv4 running fine without security, but that kerberos setup has been a major pain in the neck. There doesn't seem to be much logging going on, no matter how much -d or -h's I use. It appears, Wireshark is my only utility to figure this out, it feels.
What I've got so far: kdc is running, I can
This is what
Haven't found what "major=0x1" means.
Anyone got any suggestions? I'd appreciate any pointers, even a book would be fine (didn't find anything that seems to cover kerberized NFSv4 on BSD in depth).
Again,
My /etc/krb5.conf (altered to a generic domain name) on the client:
/etc/rc.conf on client:
/etc/exports on server:
What I've got so far: kdc is running, I can
kinit -k nfs/host
on the client, but I only get "Permission denied" messages on a mount.
Code:
root@t1:/home/user # mount_nfs -o nfsv4,gssname=nfs@t1.domain,principal=nfs@t1.domain,sec=krb5p svc1.domain:/ /system/nfs/svc1/
mount_nfs: nmount: /system/nfs/svc1: Permission denied
This is what
gssd
gives me when I run it in debug mode:
Code:
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for nfs/t1.domain, kerberos ret=0
gssd_acquire_cred: done major=0x0 minor=0
gssd_release_name: done major=0x0 minor=0
gssd_import_name: done major=0x0 minor=0
gssd_init_sec_context: done major=0x1 minor=0 uid=0
gssd_release_name: done major=0x0 minor=0
gssd_delete_sec_context: done major=0x0 minor=0
Haven't found what "major=0x1" means.
Anyone got any suggestions? I'd appreciate any pointers, even a book would be fine (didn't find anything that seems to cover kerberized NFSv4 on BSD in depth).
Again,
kinit
for a user works fine, the host key works fine with the "-k" flag on the command line. I've also fixed my /etc/hosts file to only include one definitive hostname entry. hostname -f
successfully returns a FQDN on server and client.My /etc/krb5.conf (altered to a generic domain name) on the client:
Code:
[libdefaults]
default_realm = DOMAIN
[realms]
DOMAIN = {
kdc = kdc.domain
admin_server = kdc.domain
}
[domain_realm]
.domain = DOMAIN
/etc/rc.conf on client:
Code:
nfsuserd_enable="YES"
nfscbd_enable="YES"
nfscbd_flags="-P nfs/t1.domain@DOMAIN"
gssd_flags="-h -v -v -v -v"
gssd_enable="YES"
nfsuserd_flags="-domain t1.domain -verbose"
/etc/exports on server:
Code:
V4: /system/nfs -sec=krb5p -network=10.10.0.0/24