You are not logged in.

Pages: 1

#1 2016-12-06 14:22:13

lshappy
Member
Registered: 2016-12-06
Posts: 8

[SOLVED] Kerberos with NFS4

Hi,

i recently switched my clients from debian to arch, which is great. The only problem i am currently not able to solve myself is the use of nfs4 with kerberos.

There is a debian server jessie running kdc and admin server for kerberos and nfs-server. The debian clients were able to connect to the nfs4 shares without problems.

I have created princs for every user and client and added them to the server keytab. On each client i added the client princ to the local keytab.

Server /etc/exports

/exports *.local.xxx.yyy(sec=krb5,rw,fsid=0,secure,no_subtree_check,async,no_all_squash)

Server /etc/default/nfs-common

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Server /etc/default/nfs-kernel-server

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv -rrr"

Server /etc/krb5.conf

[libdefaults]
	default_realm = LOCAL.XXX.YYY

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	LOCAL.XXX.YYY = {
		kdc = DOC.LOCAL.XXX.YYY
		admin_server = DOC.LOCAL.XXX.YYY
	}

[domain_realm]
	.local.xxx.yyy = LOCAL.XXX.YYY
	local.xxx.yyy = LOCAL.XXX.YYY

[login]
	krb4_convert = true
	krb4_get_tickets = false

[logging]
	kdc = FILE:/var/log/kerberos/krb5kdc.log
	admin_server = FILE:/var/log/kerberos/kadmin.log
	default = FILE:/var/log/kerberos/krb5lib.log

Client /etc/krb5.conf

[libdefaults]
	default_realm = LOCAL.XXX.YYY

[realms]
	LOCAL.XXX.YYY = {
		kdc = DOC.LOCAL.XXX.YYY
		admin_server = DOC.LOCAL.XXX.YYY
	}

[domain_realm]
	.local.xxx.yyy = LOCAL.XXX.YYY
	local.xxx.yyy = LOCAL.XXX.YYY

I installed pam-krb5 and enabled it via authconfig. Upon login a krbtgt is created:

klist

Ticket cache: FILE:/tmp/krb5cc_1000_1VwHna
Default principal: na@LOCAL.XXX.YYY

Valid starting       Expires              Service principal
06.12.2016 14:21:17  07.12.2016 00:21:17  krbtgt/LOCAL.XXX.YYY@LOCAL.XXX.YYY
	renew until 07.12.2016 14:21:17

I remember that on debian klist listed also an entry for the server princ (which is somehow expected, its needed for kerberos). On arch the server princ is not listed in klist.

Client

mount -t nfs4 -o sec=krb5 doc:/ /mnt -v

mount.nfs4: timeout set for Tue Dec  6 15:15:31 2016
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=10.0.0.80,clientaddr=10.0.0.232'
mount.nfs4: mount(2): Protocol not supported
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.0.0.80,clientaddr=10.0.0.232'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.0.0.80,clientaddr=10.0.0.232'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.80'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: trying 10.0.0.80 prog 100003 vers 3 prot TCP port 2049
mount.nfs4: prog 100005, trying vers=3, prot=17
mount.nfs4: trying 10.0.0.80 prog 100005 vers 3 prot UDP port 34909
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting doc:/

It seems to me, that "mount.nfs4: mount(2): Invalid argument" may be the problem.

Can anybody please point me the right direction to solve this problem?

Thank you!!

Last edited by lshappy (2016-12-14 09:41:21)

Offline

#2 2016-12-06 20:02:20

lshappy
Member
Registered: 2016-12-06
Posts: 8

Re: [SOLVED] Kerberos with NFS4

For everyone with the same problem:

According to https://bugs.archlinux.org/task/50663 its a bug.

If i start rpc.gssd manually, mounts are successful and also autofs works.

Currently testing a workaround...

Offline

#3 2016-12-06 20:33:13

JohnBobSmith
Member
From: Canada
Registered: 2014-11-29
Posts: 804

Re: [SOLVED] Kerberos with NFS4

Do post your findings (failed tests too!) here, or in the wiki, as these types of things will greatly benefit the community. smile

Unfortunately this sort of stuff is not my cup of tea. But good luck anyways!

I am diagnosed with bipolar disorder. As it turns out, what I thought was my greatest weakness is now my greatest strength.

Everyday, I make a conscious choice to overcome my challenges and my problems. It's not easy, but its better than the alternative...

Offline

#4 2016-12-07 10:28:01

lshappy
Member
Registered: 2016-12-06
Posts: 8

Re: [SOLVED] Kerberos with NFS4

Solved:

1
Bug in service definition

systemctl cat rpc-gssd

The line 

ExecStart=/usr/sbin/rpc.gssd $GSSDARGS

is wrong. This should be 

ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS

Thats not really important for the Solution, but if you ever wonder why your options in /etc/sysconfig/nfs are not used, this is the reason! (I tried to add the required -f flag to /etc/sysconfig/nfs but thats not enough)

2
Bug in glibc, see
https://bugzilla.redhat.com/show_bug.cgi?id=1189856
https://bugzilla.redhat.com/show_bug.cgi?id=1264556

And a workaround described in https://bugs.archlinux.org/task/50663:

systemctl edit rpc-gssd

Add this to run rpc.gssd with the -f flag, which is a workaround for the gilbc-bug.

[Unit]
# add this too! otherwise startup will fail!
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=
ExecStart=/usr/sbin/rpc.gssd -f

With this workaround you can 

systemctl start nfs-utils
systemctl start rpc-gssd

Now mounts are possible.

3
The needed Services nfs-utils and rpc-gssd are not started on startup.

[obsolete: simply enable and start nfs-client.target!!]

systemctl enable nfs-utils or rpc-gssd is not possible (on my machine) because the are no Install-Options in the service definitions. Add them manually:

For nfs-utils

systemctl edit --full nfs-utils

Add 

[Install]
WantedBy=multi-user.target

For rpc-gssd

systemctl edit --full rpc-gssd

Add 

[Install]
WantedBy=multi-user.target

then reboot. now mounting works for me.

(i never edited a wiki before. maybe someone else can add something to the wiki? the wiki says ie you have to enable rpc-gssd, but this fails and theres no info why ...)


Edit:
- Someone added this info to the wiki, thank you!
- As mentioned in the wiki, you do not need step 3, just you enable and start nfs-client.target!!

Last edited by lshappy (2016-12-14 09:48:09)

Offline

#5 2016-12-07 15:34:40

JohnBobSmith
Member
From: Canada
Registered: 2014-11-29
Posts: 804

Re: [SOLVED] Kerberos with NFS4

Great find/fix! Don't worry about the wiki. If you edit your first post and add [SOLVED] to the title since you have your solution, anyone else who searches for this issue will likely see this thread and be able to solve their issue. smile

I am diagnosed with bipolar disorder. As it turns out, what I thought was my greatest weakness is now my greatest strength.

Everyday, I make a conscious choice to overcome my challenges and my problems. It's not easy, but its better than the alternative...

Offline

Pages: 1

Board footer

Powered by FluxBB