anyone have Kerberized mount working on Mac 10.12?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

anyone have Kerberized mount working on Mac 10.12?

Charles Hedrick
The server seems to think the mount was OK, but the client says permission denied, and the log shows
2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: anyone have Kerberized mount working on Mac 10.12? [solved]

Charles Hedrick
I ended up making it work. Here are my notes:

        • Error messages on mount have nothing to do with the cause.
        • By default they use a user port to communicate with the server. If you have "insecure" on the server, that's fine. If not, add resvport to the mount options.
        • If things fail, it may take a couple of minutes before a retry might work. Also, after a umount, immediate attempt to mount will fail, with obscure error messages about RPC service not found.
        • You will need valid /etc/krb5.conf and /etc/krb5.keytab.
        • As a user, kinit so you have a valid credential cache. I used default_cc_name = /tmp/krb5cc_%{uid}, so my credentials went into a /tmp file. I don't know how many different locations their NFS server checks. I only tried that one location. It appears that some user must be kinit’ed for the mount to work, though the mount is done by sudo, so it’s root.
        • Here's a v4 mount: mount -t nfs -o vers=4,sec=krb5 c217-nfs.cs.rutgers.edu:/home /mnt. With Linux, the client finds out from the server that it needs to use Kerberos, and it mounts with the highest available version. Mac doesn't seem to do that, so I specify vers= and sec=
        • For V4 to work, idmapping must be working. To set it up, you must tell the system your Kerberos domain, "dscl . -create Config/NFSv4Domain RealName CS.RUTGERS.EDU"
        • You can specify v3, obviously. Kerberized V3 works. With V3 your uids and gids need to be synchronized with the server. At least the ones you care about, which is probably just your own user.
        • Root was able to access my files. It seems to have used my user credentials. On Linux root accesses are done as root, and typically that results in a permission failure.
        • Failures aren't necessarily on the Mac side. I had a failure with a Centos file server which turned out to be on the Linux end. I had to restart the Linux system. I beieve the issue was the spotlight was trying to index the drive, and the Kerberos ticket had expired. (That’s not confirmed, but there are a couple of pieces of evidence suggesting Spotlight. I’m surprised, since Spotlight doesn’t actually seem to work on NFS.) The server should just give an error, but it seems to have run out of file descriptors. The issue did not occur with a Centos 6 server mounted with version 3.

Now on to Windows ...

> On Feb 24, 2017, at 1:26 PM, Charles Hedrick <[hidden email]> wrote:
>
> The server seems to think the mount was OK, but the client says permission denied, and the log shows
> 2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...