I'm trying to mount an NFS share from Fedora 16. The server is Mac OS X Server, set up by my coworker. I believe it requires Kerberos/LDAP authentication, so I would start the (probably arduous) process of getting that figured out, but there's some things I don't understand.

showmount -e SERVER gives the expected share and IP permissions, and has <krb5>.

# sudo mount -v SERVER:SHARE MNT 
mount: no type was given - I'll assume nfs because of the colon mount.nfs: timeout set for Wed Nov 28 15:10:32 2012 
mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=XXX.XXX.XXX.XXX' mount.nfs:
mount(2): Protocol not supported 
mount.nfs: trying text-based options 'addr=XXX.XXX.XXX.XXX' mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying XXX.XXX.XXX.XXX prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17 
mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot UDP port 676 
mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting SERVER:SHARE

This confuses me a little because if I was getting rejected because of Kerberos I would have expected it to be vers=4?

I've also seen posts that say that I need to have the same uid but that doesn't make too much sense.

Should I just go ahead and try to get some credentials into LDAP? If so is there a pointer for how to do this in the context of Mac/Linux? Or is there some other debugging I should do first?

  • I've never tried this because I don't have experience mounting an OSX NFS share from a Linux box, but you will need to add krb5 and ldap to your PAM stack in Fedora in order to authenticate to the OSX server. First install the pam_krb5 and pam_ldap packages. Then ask your coworker to add an account for you on the OSX server. Once you can log in via SSH with authentication via kerberos and/or LDAP, then try to mount the NFS export. – jayhendren Dec 23 '13 at 2:58
  • If you and your machine are not part of the kerberos realm, it won't let you do anything at all. Your combo of user and host needs to be authenticed and given access to a specific set of server(s) and service(s). Then, as mentioned above, you need to modify the PAM stack and if credentials are drawn from LDAP you also need to integrate it with NSS. Redhead uses the SSSD for most of it. If this is not a rather long term relation ship I would look for simpler ways of authentication. I would use some form of ssh. – paradoxon Aug 3 '16 at 8:58

First, check klist for a TGT, if not kinit;klist.

Try adding -o sec=krb5 to the mount command i.e

sudo mount -o sec=krb5 -v SERVER:SHARE MNT

Check your /etc/krb5.conf to ensure everything is set up right for your environment

Since there are messages related to ports it is attempting to connect to, you might try adding -o resvport.

Your Answer

 

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.