Date: Sun, 02 Apr 2023 01:18:15 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 270592] nfsv4 /etc/exports with -sec=krb5p gives permission denied Message-ID: <bug-270592-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270592 Bug ID: 270592 Summary: nfsv4 /etc/exports with -sec=3Dkrb5p gives permission denied Product: Base System Version: 13.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: me@svmhdvn.name Testing environment: * server: FreeBSD 13.1-RELEASE running KDC inside jail (MIT kerberos security/krb5 from ports) and base NFSv4 server in the jailhost (nfs.my.dom= ain) * client: Alpine Linux edge with MIT kerberos (client.local) I have setup Kerberos host principals correctly in each of the server and client keytabs, and acquired a user principal ticket that corresponds to the same user on both the client and server. TESTS: **Test #1**: /etc/exports in the server: V4: /nfshome -sec=3Dkrb5p /nfshome -sec=3Dkrb5p When mounting in the client: # mount nfs.my.domain:/ /mnt mount.nfs: access denied by server while mounting nfs.my.domain:/ mount: mounting nfs.my.domain:/ on /mnt failed: Permission denied I can see in this test that on the server, gssd logs the correct principal-= >uid mapping and the request is clearly coming through. **Test #2** /etc/exports in the server: V4: /nfshome -sec=3Dkrb5p:krb5i /nfshome -sec=3Dkrb5p:krb5i When mounting in the client: # mount nfs.my.domain:/ /mnt # The mount completes successfully and I am able to read/write files to the N= FS share. When I look at the mount information: $ mount [...] nfs.my.domain:/ on /mnt type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=3D4.2,rsize=3D131072,wsize=3D131072,n= amlen=3D255,hard,proto=3Dtcp,timeo=3D600,retrans=3D2,sec=3Dkrb5p,clientaddr= =3D192.168.0.11,local_lock=3Dnone,addr=3D192.168.0.201) It indicates a successful mount of -sec=3Dkrb5p **Test #3** /etc/exports in the server: V4: /nfshome -sec=3Dkrb5i /nfshome -sec=3Dkrb5i When mounting in the client: # mount nfs.my.domain:/ /mnt # The mount completes successfully and I am able to read/write files to the N= FS share. When I look at the mount information: $ mount [...] nfs.my.domain:/ on /mnt type nfs4 (rw,nosuid,nodev,noexec,relatime,vers=3D4.2,rsize=3D131072,wsize=3D131072,n= amlen=3D255,hard,proto=3Dtcp,timeo=3D600,retrans=3D2,sec=3Dkrb5i,clientaddr= =3D192.168.0.11,local_lock=3Dnone,addr=3D192.168.0.201) It indicates a successful mount of -sec=3Dkrb5i CONCLUSION: I expect that when the server exports are listed as in Test #1, I should successfully be able to mount as -sec=3Dkrb5p. Why am I getting "permission denied" in this case, but not in Test #2? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-270592-227>