From owner-freebsd-fs@freebsd.org Wed Oct 10 15:15:36 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3116A10B3BD6 for ; Wed, 10 Oct 2018 15:15:36 +0000 (UTC) (envelope-from felix@audiofair.de) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AD84F84806 for ; Wed, 10 Oct 2018 15:15:35 +0000 (UTC) (envelope-from felix@audiofair.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1539184533; s=strato-dkim-0002; d=audiofair.de; h=In-Reply-To:Date:Message-ID:From:References:To:Subject: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=HKQFcMfv9xZQe6cnHhA6wq2fmVTmEWtmKzdU5LALYco=; b=KkC6lavqjtx/BteCzA0U7uyzKtEAoroKLQTpfEYimnFd/U/sOyCN8H5cfkLubWLdBe HnWC2wRyYA54lQEas+8o+idnf0mcGwgAMQ1aQAw1UN9vhDaVAy18rZRsw38I6qwOpwdd gMSOc8yKYg4/UbqaiEl4ifQ63W09Dajm7ukufKAqsm4Lo02L4b0CMQp7jUo3netAVxkW aRrcu6hogPQpvZrmCbKzd7RAs9hbo5AV6h791CAs9k3AdrUKN4qhy7NUMK48jdiDao1f 1m2+VdIZ6MOYpiLCANEbkC0oyHfGkBfscEC3xZWYzPGudqPebxRRxFZGt1Rps5ZZEC8B MC7A== X-RZG-AUTH: ":KmkIfFiIeuobF0ryGDOmdGJTFqaolieRUBb8W7m+IlV8fTgVa1I1Nqqo7krB5f1Lh7qYsj9h" X-RZG-CLASS-ID: mo00 Received: from [131.188.166.118] by smtp.strato.de (RZmta 44.2 AUTH) with ESMTPSA id k02759u9AFFVUsy (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Wed, 10 Oct 2018 17:15:31 +0200 (CEST) Subject: Re: NFSv4 Kerberos mount from Linux To: Rick Macklem , "freebsd-fs@freebsd.org" References: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> From: Felix Winterhalter Message-ID: Date: Wed, 10 Oct 2018 17:15:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: de-DE X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2018 15:15:36 -0000 On 10/4/18 5:21 PM, Rick Macklem wrote: > Felix Winterhalter wrote: >> Hello everyone, >> >> I've been trying to get a kerberized nfsv4 mount to work from a Debian >> Stretch client to a FreeBSD 11.2 server. >> >> My export file looks like: >> >> V4: / -sec=krb5p clients >> >> /testexport -maproot=root -sec=krb5p clients >> > Btw, if you only mounting "/testexport", you can specify the "V4:" as > V4: /testexport -sec=krb5p clients > and then the mount on the client uses "/" as the server mountpoint, like > # mount -t nfs -o nfsvers=4 :/ /mnt > (This avoids the server having to search for "testexport" in the "/" directory > during mounting and might avoid some problems when "/" isn't an exported > file system. There are "hooks" in the FreeBSD server to make the search work, > but I've never been 100% certain they will work for Kerberos and/or ZFS.) > > Btw, in case the Linux client is falling back on using AUTH_SYS at some point > during the mount, you could try allowing both krb5 and auth_sys by setting > "-sec=sys,krb5,krb5i,krb5p" for both of the above lines. (I'd also suggest you > try krb5 or krb5i until you get it working, since any packet traces are > easier to decode, although once one krb5 variant works, they all should.) True, however I had multiple exports below / set up as tests. > >> I am now trying to mount this directory as root first without having to >> deal with user keytabs or tickets. >> >> This works fine with -sec=sys and nfsv4.1 and nfsv3 and -sec=krb5p. >> This does not however work with nfsv4 and krb5p or any other krb5 flavor. > Sorry, I'm not sure what you are saying here. Is it > 1 - no version of NFS works for krb5p or > 2 - NFSv4.1 works for krb5p, but NFSv4.0 does not or > 3 - only nfsv3 works for krb5p [snipped lots of text] #3 is indeed what was happening. I could mount with krb5p for nfsv3 (which I was not aware was even doable) however nfsv4 would stubbornly refuse to do any mounting. I have now after a lot of try and error figured out what I need to do in order to make it work. To start with I have kerberos credentials with both host/ and nfs/ on both client and server. Mounting nfsv4 shares with krb5p from a linux server has also worked in this context. I leave you to judge whether what I found out is intended behaviour or if something weird is going on. My exports file originally looked something like this: /nfsTests/ /nfsTests/testexport /nfsTests/otherexport -maproot=root -sec=krb5p clients V4: /nfsTests -sec=krb5p clients Which allowed me to do nfsv3 krb5p mounts but not nfsv4 krb5p mounts. Changing the exports file to this: /nfsTests/ /nfsTests/testexport /nfsTests/otherexport -maproot=root -sec=krb5p clients V4: /nfsTests -sec=krb5p,krb5i clients Allows nfsv4 krb5p mounts to work for some reason I do not understand. Not setting the -sec option on the V4 line apparently defaults to -sec=sys and doesn't allow any krb5 mounts. I'm not sure that this is a good default as I wasn't even aware that the -sec option needed to be set on this line. I've got packet traces of the nfsv3 krb5 and krb5i mounts and I'll make traces of the two nfsv4 mount attempts and send them to you if you're interested. I'm still not sure what exactly is happening here.