Access denied while mounting nfsv4 with kerberos

dratos97391 · 2023-10-18 18:40:33

I have 2 computers both running arch, and I tried following the config-guides on the wiki and articles from this forums in getting NFS to work with kerberos. Using NFS in insecure mode works great, and getting the kerberos ticket works too. I only use kerberos for nfs.

server
user: foo, guid 1000
ntpd turned on, same time as client

cat /etc/krb5.conf

[libdefaults]
        default_realm = SRV.LOCAL

[realms]
        SRV.LOCAL = {
                admin_server = 10.0.0.12
                kdc = 10.0.0.12
                default_principal_flags = +preauth
        }

[domain_realm]
        srv.local = SRV.LOCAL 
        .srv.local = SRV.LOCAL 

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

cat /etc/exports

/srv/nfs4/              10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,sec=krb5)
/srv/nfs4/bar           10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,sec=krb5)
/srv/nfs4/bar/public    10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,anonuid=1000,anongid=1000,insecure)

principal "foo" in kadmin:

Principal: foo@SRV.LOCAL
Expiration date: [never]
Last password change: tis maj 02 22:55:15 CEST 2023
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: tis maj 02 22:55:15 CEST 2023 (root/admin@SRV.LOCAL)
Last successful authentication: ons okt 18 19:33:36 CEST 2023
Last failed authentication: tis maj 02 22:56:33 CEST 2023
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

client
klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: foo@SRV.LOCAL

Valid starting       Expires              Service principal
2023-10-18 20:37:23  2023-10-19 20:37:15  krbtgt/SRV.LOCAL@SRV.LOCAL

mount SRV.LOCAL:/srv/nfs4/bar /bar -vvv

mount.nfs: timeout set for Wed Oct 18 20:24:07 2023
mount.nfs: trying text-based options 'vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=10.0.0.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.0.0.12 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.0.0.12 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Invalid argument
mount.nfs: Operation not permitted for SRV.LOCAL:/srv/nfs4/bar on /bar

username: foo
ntpd turned on, same time as server
can successfully ping SRV.LOCAL(/etc/hosts entry added)

trying different nfs command gives syntax error:

mount -t nfs -o sec=krb5 SRV.LOCAL:/srv/nfs4/bar /bar -vvv

mount.nfs: timeout set for Wed Oct 18 20:33:45 2023
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,addr=10.0.0.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.0.0.12 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.0.0.12 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified for /bar

server logs

t 18 20:23:31 srv kernel: RPC:       Want update, refage=120, age=112
okt 18 20:23:31 srv kernel: nfsd: READ(3) 36: 01 00 07 01 01 00 5c 0a 00 00 00 00 9c cd 80 4f f7 5b 4d e8 b9 a6 df 5a
 06 85 4a 55 2f 0e 46 06 29 e0 64 b6 131072 bytes at 71155712
okt 18 20:23:33 srv kernel: RPC:       Want update, refage=120, age=114
okt 18 20:23:33 srv kernel: nfsd: READ(3) 36: 01 00 07 01 01 00 5c 0a 00 00 00 00 9c cd 80 4f f7 5b 4d e8 b9 a6 df 5a
 06 85 4a 55 2f 0e 46 06 29 e0 64 b6 131072 bytes at 71286784
okt 18 20:23:34 srv kernel: RPC:       Want update, refage=120, age=115
okt 18 20:23:34 srv kernel: nfsd: READ(3) 36: 01 00 07 01 01 00 5c 0a 00 00 00 00 9c cd 80 4f f7 5b 4d e8 b9 a6 df 5a
 06 85 4a 55 2f 0e 46 06 29 e0 64 b6 131072 bytes at 71417856
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=116
okt 18 20:23:35 srv kernel: nfsd: READ(3) 36: 01 00 07 01 01 00 5c 0a 00 00 00 00 9c cd 80 4f f7 5b 4d e8 b9 a6 df 5a
 06 85 4a 55 2f 0e 46 06 29 e0 64 b6 131072 bytes at 71548928
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: nfsd4_exchange_id rqstp=00000000f6fef072 exid=00000000bffb86af clname.len=21 clname.data=
00000000bf5233f1 ip_addr=10.0.0.130 flags 101, spa_how 0
okt 18 20:23:35 srv kernel: nfsd4_exchange_id seqid 0 flags 20001
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: nfsd4_exchange_id rqstp=00000000f6fef072 exid=00000000bffb86af clname.len=21 clname.data=
00000000bf5233f1 ip_addr=10.0.0.130 flags 101, spa_how 0
okt 18 20:23:35 srv kernel: nfsd4_exchange_id seqid 0 flags 20001
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 1 slot_seqid 0
okt 18 20:23:35 srv kernel: RPC:       set up xprt to 10.0.0.130 (port 0) via tcp
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 1 slot_seqid 0
okt 18 20:23:35 srv kernel: alloc_cld_upcall: allocated xid 265
okt 18 20:23:35 srv nfsv4.exportd[1857361]: v4.2 client attached: 0x1161cdea6530133e from "10.0.0.130:728"
okt 18 20:23:35 srv rpc.mountd[2156088]: v4.2 client attached: 0x1161cdea6530133e from "10.0.0.130:728"
okt 18 20:23:35 srv kernel: --> nfsd4_store_cache_entry slot 00000000ed2e4380
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 2 slot_seqid 1
okt 18 20:23:35 srv kernel: nfsd: fh_compose(exp 08:01/2 /, ino=2)
... snip ...
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 18 slot_seqid 17
okt 18 20:23:35 srv kernel: --> nfsd4_store_cache_entry slot 00000000ed2e4380
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 19 slot_seqid 18
okt 18 20:23:35 srv kernel: --> nfsd4_store_cache_entry slot 00000000ed2e4380
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 20 slot_seqid 19
okt 18 20:23:35 srv kernel: nfsd: nfsd_lookup(fh 28: 01 00 07 00 01 00 44 00 00 00 00 00 0c 21 a5 be c5 39 5c 60 81 ba 26 13 90 41 c6 d8, nfs4)
okt 18 20:23:35 srv kernel: --> nfsd4_store_cache_entry slot 00000000ed2e4380
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: nfsd4_sequence: slotid 0
okt 18 20:23:35 srv kernel: check_slot_seqid enter. seqid 21 slot_seqid 20
okt 18 20:23:35 srv kernel: nfsd: nfsd_lookup(fh 28: 01 00 07 00 01 00 44 00 00 00 00 00 0c 21 a5 be c5 39 5c 60 81 b
a 26 13 90 41 c6 d8, nfs4)
okt 18 20:23:35 srv kernel: --> nfsd4_store_cache_entry slot 00000000ed2e4380
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: nfsd4_destroy_session: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: __find_in_sessionid_hashtbl: 1697649470:291622378:223:0
okt 18 20:23:35 srv kernel: RPC:       Want update, refage=120, age=88
okt 18 20:23:35 srv kernel: alloc_cld_upcall: allocated xid 266
okt 18 20:23:35 srv rpc.mountd[2156088]: v4.2 client detached: 0x1161cdea6530133e from "10.0.0.130:728"
okt 18 20:23:35 srv nfsv4.exportd[1857361]: v4.2 client detached: 0x1161cdea6530133e from "10.0.0.130:728"
okt 18 20:23:35 srv kernel: RPC:       bc_destroy xprt 0000000033138234
okt 18 20:23:35 srv rpc.mountd[2156088]: authenticated mount request from 10.0.0.130:839 for /srv/nfs4/bar (/srv/nfs4
/bar)

alternative config
/etc/exports (changed to krb5i in the end!)

/srv/nfs4/              10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,sec=krb5i)
/srv/nfs4/bar           10.0.0.0/24(rw,nohide,no_subtree_check,async,all_squash,sec=krb5i)

mount -t nfs -o sec=krb5 SRV.LOCAL:/srv/nfs4/bar /bar -vvv

mount.nfs: timeout set for Wed Oct 18 20:31:20 2023
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,addr=10.0.0.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.0.0.12 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.0.0.12 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting SRV.LOCAL:/srv/nfs4/bar

logs gives:

okt 18 20:30:52 srv rpc.mountd[2156088]: v4.0 client detached: 0x1161cdf16530133e from "10.0.0.130:919"              okt 18 20:30:52 ior nfsv4.exportd[1857361]: v4.0 client detached: 0x1161cdf16530133e from "10.0.0.130:919"

anacron · 2023-11-01 11:42:49

Are you using keytabs for authentication?

just4arch · 2023-11-01 15:12:30

First glance, you're mixing NFS3 and NFS4.

You're missing something like

/srv/nsf4 10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash)

from your /etc/exports and then mount with

mount -v SRV.LOCAL:/bar

Last edited by just4arch (2023-11-01 15:14:03)

dratos97391 · 2023-11-12 18:57:49

anacron wrote:

Are you using keytabs for authentication?

Yes,
I ran the following on the client machine:

$ klist -k
Keytab name: FILE:/etc/krb5.keytab
klist: Key table file '/etc/krb5.keytab' not found while starting keytab scan

but on the server:

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/SRV.LOCAL@SRV.LOCAL
   2 nfs/SRV.LOCAL@SRV.LOCAL

Last edited by dratos97391 (2023-11-12 19:05:04)

dratos97391 · 2023-11-12 19:12:42

just4arch wrote:

First glance, you're mixing NFS3 and NFS4.
You're missing something like
/srv/nsf4 10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash)
from your /etc/exports and then mount with
mount -v SRV.LOCAL:/bar

I changed the exports to:

/srv/nfs4/             10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)
/srv/nfs4/bar          10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)

and it says:

$ sudo mount  SRV.LOCAL:/srv/nfs4/bar /bar  -vvv
mount.nfs: timeout set for Sun Nov 12 20:11:46 2023
mount.nfs: trying text-based options 'vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=10.0.0.12'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.0.0.12 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.0.0.12 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Invalid argument
mount.nfs: Operation not permitted for SRV.LOCAL:/srv/nfs4/bar on /bar

just4arch · 2023-11-12 19:52:35

I changed the exports to:

/srv/nfs4/             10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)
/srv/nfs4/bar          10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)

This was an example... (you probably won't need crossmnt for your usecase)
You want fsid= *only* on your nfs root.

man exports wrote:

fsid=num|root|uuid
...
For NFSv4, there is a distinguished filesystem which is the root of all exported filesystem. This is specified with fsid=root or fsid=0 both of which mean exactly the same thing.
...

Get NFSv4 working properly without kerberos first.

Sanity check

exportfs -vr

dratos97391 · 2023-11-13 17:56:29

just4arch wrote:

I changed the exports to:
/srv/nfs4/             10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)
/srv/nfs4/bar          10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)
This was an example... (you probably won't need crossmnt for your usecase)
You want fsid= *only* on your nfs root.
man exports wrote:
fsid=num|root|uuid
...
For NFSv4, there is a distinguished filesystem which is the root of all exported filesystem. This is specified with fsid=root or fsid=0 both of which mean exactly the same thing.
...
Get NFSv4 working properly without kerberos first.
Sanity check
exportfs -vr

I just tried it with:

/srv/nfs4/             10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash)
/srv/nfs4/bar          10.0.0.0/24(ro,sync,subtree_check,crossmnt,all_squash)

and it worked fine, mounting fine using v4:
mount.nfs: trying text-based options 'vers=4.2,addr=10.0.0.12,clientaddr=10.0.0.130'

but the following after exportfs -vr does not work, I get the same Operation not permitted as before.

/srv/nfs4/             10.0.0.0/24(ro,sync,fsid=root,subtree_check,crossmnt,all_squash,sec=krb5)
/srv/nfs4/bar          10.0.0.0/24(ro,sync,subtree_check,crossmnt,all_squash,sec=krb5)

Arch Linux

#1 2023-10-18 18:40:33

Access denied while mounting nfsv4 with kerberos

#2 2023-11-01 11:42:49

Re: Access denied while mounting nfsv4 with kerberos

#3 2023-11-01 15:12:30

Re: Access denied while mounting nfsv4 with kerberos

#4 2023-11-12 18:57:49

Re: Access denied while mounting nfsv4 with kerberos

#5 2023-11-12 19:12:42

Re: Access denied while mounting nfsv4 with kerberos

#6 2023-11-12 19:52:35

Re: Access denied while mounting nfsv4 with kerberos

#7 2023-11-13 17:56:29

Re: Access denied while mounting nfsv4 with kerberos

Board footer