# Kerberos nfsv4 with Linux server



## Tjure (Jun 16, 2022)

I am struggling to get a nfsv4 kerberos share on a linux server to mount on Freebsd 13 client. (The other way it worked.)

On Linux there are to option to specify a kerberos share:

/etc/exports on `linserv`:

```
/nfs            *(rw,sec=krb5:krb5i:krb5p,async,fsid=0)
/nfs/home       *(rw,sec=krb5:krb5i:krb5p,async,nohide,no_root_squash)
```
Trying to mount this on FreeBSD13 (`bsdclient`) with
`mount_nfs -o nfsv4,sec=krb5 linserv:/home /mnt/tmp` yields:

```
nfsv4 err=10016
mount_nfs: /mnt/tmp: Input/output error
```
i.e., NFSERR_WRONGSEC. So FreeBSD13 seems not to recognize the security-settings of the Linux server.


/etc/exports on `linserv`:  

```
/nfs            gss/krb5(rw,async,fsid=0)
/nfs/home       gss/krb5(rw,async,nohide,no_root_squash)
```
Using the same mount command as before yields just:

```
mount_nfs: /mnt/tmp: Input/output error
```


I also inspected the output of `gssd -h -d -v`:

```
gssd_import_name: done major=0x0 minor=0
gssd_init_sec_context: done major=0xd0000 minor=2 uid=0
gssd_release_name: done major=0x0 minor=0
```

When I used the gssname-option, i.e., `mount_nfs -o nfsv4,sec=krb5,gssname=host linserv:/home /mnt/tmp`

```
gssd_import_name: done major=0x0 minor=0
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for host/bsdclient, kerberos ret=-1765328378
gssd_release_name: done major=0x0 minor=0
```
that aparently shows that the key is not found in krb5.keytab. (I also tried `gssd -h -d -v -s /etc/krb5.keytab` with the same result.)


I also tried different version of gssname, e.g. `mount_nfs -o nfsv4,sec=krb5,gssname=host@bsdclient.samdom.com linserv:/home /mnt/tmp`, but the error was similar:

```
gssd_import_name: done major=0x0 minor=0
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for host/bsdclient.samdom.com, kerberos ret=-1765328378
gssd_release_name: done major=0x0 minor=0
```

But `ktutil list` shows that the host-key is in krb5.keytab:

```
1  aes256-cts-hmac-sha1-96  host/bsdclient.samdom.com@SAMDOM.COM
 1  aes128-cts-hmac-sha1-96  host/bsdclient.samdom.com@SAMDOM.COM
 1  arcfour-hmac-md5         host/bsdclient.samdom.com@SAMDOM.COM
```

Apart from a `rpc.mountd[593]: failed authentication for IP 10.0.2.99` (i.e., the IP of `bsdclient`) I could find nothing on `linserv`.

I should add the that `bsdclient` also contains the samba AD server. And I can mount the share on `linserv` from any Linux machine with nfsv4-kerberos (using option 1 or 2).

Does anybody has an idea what goes wrong? Is it not possible to mount Linux kerberos nfsv4-shares on FreeBSD13?

In another post it is noted that kerberos nfsv4 is broken.


----------

