Bytor
Dabbler
- Joined
- Apr 15, 2015
- Messages
- 12
I updated my file server to 9.3 yesterday and I have been trying to add Kerberos into the mix for NFSv4 security but have been unsuccessful. Hopefully somebody here gotten an Ubuntu client to get kerberized-NFSv4 from FreeNAS 9.3 and can give me some pointers.
When trying to mount an NFSv4 kerberized share from the file server on my Ubuntu laptop, I get one of two errors when I try "sudo mount -t nfs4 -o sec=krb5 10.128.5.89:/mnt/Archives/backup /mnt'.
If 'Require Kerberos for NFSv4' is checked in the GUI's NFS settings, then mount simply says "mount failed" and this error is in syslog 'kernel: [ 103.644721] NFS: nfs4_discover_server_trunking unhandled error -121. Exiting with error EIO'.
If that setting is clear, then mount says 'mount.nfs4: access denied by server while mounting 10.128.5.89:/mnt/Archives/backup' with nothing in the logs anywhere. Adding some -v to /etc/default/nfs-common only produces this:
But only when I try to cd to /nfs/twilightsparkle.cory.albrecht.name/mnt/Archives/backup (the Ubuntu autofs path for the one NFS share I enabled rb5, krb5i and krb5p security on), not when trying to manually mount as above, and only some times (caching?).
There's a zillion how-tos for when your server is Ubuntu and does both the Kerberos KDC and NFS and your client is Ubuntu, and while they say 95% the same things there' soften some tiny little thing that one page says but not the others, though none of their suggestions have worked for me. Bu tmy set-up is Ubuntu client, Ubuntu KDC and FreeNAS. I'm just a newbie to Kerberos
I created the necessary principals (nfs/laptop, host/laptop, nfs/freenas, host/freenas) and made sure that /etc/krb5.keytab on both the laptop and the FreeNAS server contain their own host/ keytab and their own nfs/ keytab.
I know that my Kerberos is set up properly, because I have libpam_krb5 installed on the Ubuntu laptop and I have successfully kerberized thelogin. I can see lines showing the following in the logs on the laptop and the Ubuntu KDC:
Heeeellllp meeeeeeee!
When trying to mount an NFSv4 kerberized share from the file server on my Ubuntu laptop, I get one of two errors when I try "sudo mount -t nfs4 -o sec=krb5 10.128.5.89:/mnt/Archives/backup /mnt'.
If 'Require Kerberos for NFSv4' is checked in the GUI's NFS settings, then mount simply says "mount failed" and this error is in syslog 'kernel: [ 103.644721] NFS: nfs4_discover_server_trunking unhandled error -121. Exiting with error EIO'.
If that setting is clear, then mount says 'mount.nfs4: access denied by server while mounting 10.128.5.89:/mnt/Archives/backup' with nothing in the logs anywhere. Adding some -v to /etc/default/nfs-common only produces this:
Apr 29 16:33:30 vaportrails rpc.gssd[496]: message repeated 61 times: [ ERROR: No credentials found for connection to server twilightsparkle.cory.albrecht.name]
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: can't open /run/rpc_pipefs/nfs/clnte6: No such file or directory
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: No credentials found for connection to server twilightsparkle.cory.albrecht.name
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: can't open /run/rpc_pipefs/nfs/clnte7: No such file or directory
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: No credentials found for connection to server twilightsparkle.cory.albrecht.name
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: can't open /run/rpc_pipefs/nfs/clnte6: No such file or directory
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: No credentials found for connection to server twilightsparkle.cory.albrecht.name
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: can't open /run/rpc_pipefs/nfs/clnte7: No such file or directory
Apr 29 16:33:30 vaportrails rpc.gssd[496]: ERROR: No credentials found for connection to server twilightsparkle.cory.albrecht.name
But only when I try to cd to /nfs/twilightsparkle.cory.albrecht.name/mnt/Archives/backup (the Ubuntu autofs path for the one NFS share I enabled rb5, krb5i and krb5p security on), not when trying to manually mount as above, and only some times (caching?).
There's a zillion how-tos for when your server is Ubuntu and does both the Kerberos KDC and NFS and your client is Ubuntu, and while they say 95% the same things there' soften some tiny little thing that one page says but not the others, though none of their suggestions have worked for me. Bu tmy set-up is Ubuntu client, Ubuntu KDC and FreeNAS. I'm just a newbie to Kerberos
I created the necessary principals (nfs/laptop, host/laptop, nfs/freenas, host/freenas) and made sure that /etc/krb5.keytab on both the laptop and the FreeNAS server contain their own host/ keytab and their own nfs/ keytab.
I know that my Kerberos is set up properly, because I have libpam_krb5 installed on the Ubuntu laptop and I have successfully kerberized thelogin. I can see lines showing the following in the logs on the laptop and the Ubuntu KDC:
Apr 28 11:51:15 VaporTrails gdm-password]: pam_krb5(gdm-password:auth): user cory authenticated as cory@CORY.ALBRECHT.NAME
Apr 25 20:11:51 kaitain kadmind[1070](Notice): Request: kadm5_get_policy, default, success, client=cory/admin@CORY.ALBRECHT.NAME, service=kadmin/admin@CORY.ALBRECHT.NAME, addr=2001:470:b09d:0:593d:c687:bd7e:bb99
Apr 25 20:11:51 kaitain kadmind[1070](Notice): Request: kadm5_get_policy, default, success, client=cory/admin@CORY.ALBRECHT.NAME, service=kadmin/admin@CORY.ALBRECHT.NAME, addr=2001:470:b09d:0:593d:c687:bd7e:bb99
Heeeellllp meeeeeeee!