Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Oct 2018 17:15:31 +0200
From:      Felix Winterhalter <felix@audiofair.de>
To:        Rick Macklem <rmacklem@uoguelph.ca>, "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
Subject:   Re: NFSv4 Kerberos mount from Linux
Message-ID:  <c1ffda48-3809-bb4c-6d97-451765b0e25e@audiofair.de>
In-Reply-To: <YTOPR0101MB1820A5756D172342AF441C25DDEA0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM>
References:  <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> <YTOPR0101MB1820A5756D172342AF441C25DDEA0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/4/18 5:21 PM, Rick Macklem wrote:
> Felix Winterhalter wrote:
>> Hello everyone,
>>
>> I've been trying to get a kerberized nfsv4 mount to work from a Debian
>> Stretch client to a FreeBSD 11.2 server.
>>
>> My export file looks like:
>>
>> V4: / -sec=krb5p clients
>>
>> /testexport -maproot=root -sec=krb5p clients
>>
> Btw, if you only mounting "/testexport", you can specify the "V4:" as
> V4: /testexport -sec=krb5p clients
> and then the mount on the client uses "/" as the server mountpoint, like
> # mount -t nfs -o nfsvers=4 <server>:/ /mnt
> (This avoids the server having to search for "testexport" in the "/" directory
>  during mounting and might avoid some problems when "/" isn't an exported
>  file system. There are "hooks" in the FreeBSD server to make the search work,
>  but I've never been 100% certain they will work for Kerberos and/or ZFS.)
>
> Btw, in case the Linux client is falling back on using AUTH_SYS at some point
> during the mount, you could try allowing both krb5 and auth_sys by setting
> "-sec=sys,krb5,krb5i,krb5p" for both of the above lines. (I'd also suggest you
> try krb5 or krb5i until you get it working, since any packet traces are
> easier to decode, although once one krb5 variant works, they all should.)
True, however I had multiple exports below / set up as tests.

>
>> I am now trying to mount this directory as root first without having to
>> deal with user keytabs or tickets.
>>
>> This works fine with -sec=sys and nfsv4.1 and nfsv3 and -sec=krb5p.
>> This does not however work with nfsv4 and krb5p or any other krb5 flavor.
> Sorry, I'm not sure what you are saying here. Is it
> 1 - no version of NFS works for krb5p or
> 2 - NFSv4.1 works for krb5p, but NFSv4.0 does not or
> 3 - only nfsv3 works for krb5p
[snipped lots of text]

#3 is indeed what was happening. I could mount with krb5p for nfsv3
(which I was not aware was even doable) however nfsv4 would stubbornly
refuse to do any mounting.

I have now after a lot of try and error figured out what I need to do in
order to make it work.

To start with I have kerberos credentials with both host/ and nfs/ on
both client and server. Mounting nfsv4 shares with krb5p from a linux
server has also worked in this context.

I leave you to judge whether what I found out is intended behaviour or
if something weird is going on.

My exports file originally looked something like this:

/nfsTests/ /nfsTests/testexport /nfsTests/otherexport -maproot=root
-sec=krb5p clients

V4: /nfsTests -sec=krb5p clients

Which allowed me to do nfsv3 krb5p mounts but not nfsv4 krb5p mounts.

Changing the exports file to this:

/nfsTests/ /nfsTests/testexport /nfsTests/otherexport -maproot=root
-sec=krb5p clients

V4: /nfsTests -sec=krb5p,krb5i clients

Allows nfsv4 krb5p mounts to work for some reason I do not understand.
Not setting the -sec option on the V4 line apparently defaults to
-sec=sys and doesn't allow any krb5 mounts. I'm not sure that this is a
good default as I wasn't even aware that the -sec option needed to be
set on this line.

I've got packet traces of the nfsv3 krb5 and krb5i mounts and I'll make
traces of the two nfsv4 mount attempts and send them to you if you're
interested. I'm still not sure what exactly is happening here.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c1ffda48-3809-bb4c-6d97-451765b0e25e>