NFS4 and GSSAPI

Lukas Hejtmanek xhejtman at ics.muni.cz
Mon Aug 27 10:37:30 EDT 2007 

Hello,

I have some difficulties when trying GSS and NFSv4.

I have server with ldap and nfsv4 server.

On my server, I tested my ldap configuration with libtest util:
./libtest xhejtman at META xhejtman at META
nfs4_gss_princ_to_ids: princ xhejtman at META has uid 20000 gid 20000
nfs4_name_to_uid: name xhejtman at META has uid 20000
nfs4_name_to_gid: name xhejtman at META has gid 20000
nfs4_uid_to_name: uid 20000 has name xhejtman at META
nfs4_gid_to_name: gid 20000 has name xhejtman at META

(the same works on the client)

I have the following data in exported directory:
/opt/exports# ls -l
total 0
drwx------ 2 20000 20000 6 2007-08-21 16:38 dir
drwxr-xr-x 2 root  root  6 2007-08-21 16:40 dir1
-rw-r--r-- 1 20000 20000 0 2007-08-21 16:38 file
-rw-r--r-- 1 root  root  0 2007-08-21 16:38 file1

This is how the /etc/exports looks like:
/opt/exports    gss/krb5(rw,fsid=0,no_subtree_check)
/opt/exports    gss/krb5i(rw,fsid=0,no_subtree_check)
/opt/exports    gss/krb5p(rw,fsid=0,no_subtree_check)

On the client, I mounted nfs directory to /mnt:
cache04.video.muni.cz:/ on /mnt type nfs4
(rw,sec=krb5i,addr=147.251.11.143,addr=147.251.11.143)

I have KRB5 tickets (still valid):
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xhejtman at META

Valid starting     Expires            Service principal
08/21/07 16:40:36  08/22/07 16:40:36  krbtgt/META at META
       renew until 08/22/07 16:42:35


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

But I'm unable to enter my directory:
cache03:/mnt# cd dir
-bash: cd: dir: Permission denied

(entering dir1 works)


# cat /etc/idmapd.conf 
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = video.muni.cz

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]

Method = umich_ldap

[UMICH_SCHEMA]

LDAP_server = 147.251.11.143
LDAP_base = dc=video,dc=muni,dc=cz
NFSv4_name_attr = NFSv4Name
NFSv4_group_attr = NFSv4Name
GSS_principal_attr = GSSAuthName


Am I something missing?

-- 
Lukáš Hejtmánek

More information about the NFSv4 mailing list