NFSv4 + Kerberos + users

Wed Jun 20 08:25:50 EDT 2007

Kevin Coffman wrote:

> If you still have problems, a tar of my build of nfs-utils-1.1.0 and
> supporting libraries is available at:
> 
>  http://www.citi.umich.edu/u/kwc/nfs-utils-1.1.0.ia64.tar.bz2
> 
> It seems to work for me w/o a segfault.
> 
> K.C.

1. Starting with the easiest one:

I extracted your pack into the directory /home/kwc/build,
should the config remember some pathnames...

In order to avoid recompilation / relinking, I "touch"-ed all the *.*o
files, then the libs and finally the nfs-utils.

I did "make install" in all libs' and nfs-utils' directories.

I set LD_LIBRARY_PATH to start with /usr/local/lib.

I noticed that "ldd gssd" now lists /usr/local/lib/librpcsecgss.so.3
while in my copy of gssd, I have /usr/lib/librpcsecgss.so.1.

A mount that previously crashed gssd, does not do it any more.

2. Back to my copy of nfs-utils: I adjusted "PKG_CONFIG_PATH":

# echo $PKG_CONFIG_PATH
/usr/local/lib/pkgconfig

I configured, re-run make:
# ./configure --enable-mount

It does not crash any more.
"ldd gssd" now lists /usr/local/lib/librpcsecgss.so.3.
I kept the libraries I installed at "1.".

The diff between the new and the old config.log:

2424,2427c2424,2427
< pkg_cv_GSSAPI_CFLAGS='-I/usr/local/include/gssglue  '
< pkg_cv_GSSAPI_LIBS='-L/usr/local/lib -lgssapi -ldl  '
< pkg_cv_RPCSECGSS_CFLAGS='-I/usr/local/include/rpcsecgss -I/usr/local/include/gssglue  '
< pkg_cv_RPCSECGSS_LIBS='-L/usr/local/lib -lrpcsecgss -lgssapi -ldl  '
---
> pkg_cv_GSSAPI_CFLAGS='-I/usr/include/gssglue  '
> pkg_cv_GSSAPI_LIBS='-lgssapi -ldl  '
> pkg_cv_RPCSECGSS_CFLAGS='-I/usr/include/rpcsecgss -I/usr/include/gssglue  '
> pkg_cv_RPCSECGSS_LIBS='-lrpcsecgss -lgssapi -ldl  '
2480,2481c2480,2481
< GSSAPI_CFLAGS='-I/usr/local/include/gssglue  '
< GSSAPI_LIBS='-L/usr/local/lib -lgssapi -ldl  '
---
> GSSAPI_CFLAGS='-I/usr/include/gssglue  '
> GSSAPI_LIBS='-lgssapi -ldl  '
2525,2526c2525,2526
< RPCSECGSS_CFLAGS='-I/usr/local/include/rpcsecgss -I/usr/local/include/gssglue  '
< RPCSECGSS_LIBS='-L/usr/local/lib -lrpcsecgss -lgssapi -ldl  '
---
> RPCSECGSS_CFLAGS='-I/usr/include/rpcsecgss -I/usr/include/gssglue  '
> RPCSECGSS_LIBS='-lrpcsecgss -lgssapi -ldl  '

Previously, I did not have "-L/usr/local/lib".

Here is the log provoked by a mount issued in another xterm:

# rpc.gssd -m -vvvv -rrrr -n -f

beginning poll
handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181136512
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1182331220
CC file 'krb5cc_0' is our current best match with mtime of 1182331220
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
serialize_krb5_ctx: serializing keys with enctype 4 and length 8
doing downcall

I can see the mounted file system content.

Thank you.

I'd like to set up a configuration as follows:

- Assume user_i has his/her partition, named /dev/sdxi, on the server

- Assume /exports is exported as:

/export gss/krb5(sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534)

- I, as root on the server, mount each of /dev/sdxi on /mnt/sdxi,
 and I bind them as /exports/sdxi:

/export/sdxi gss/krb5(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534)

What should be added to indicate that user_i/<machine>.<domain>@<realm> is allowed
to mount his/her own partition ?
(I do not need an ACL for the files on the file system.)

When I do a "mount server:/", like I did above as root, everything is mounted.
How can server:/sdxi be mounted separately?

Thanks,

Zoltan