From owner-freebsd-current@FreeBSD.ORG Tue Feb 12 09:49:34 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2F26B202 for ; Tue, 12 Feb 2013 09:49:34 +0000 (UTC) (envelope-from lokedhs@gmail.com) Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) by mx1.freebsd.org (Postfix) with ESMTP id B6417117 for ; Tue, 12 Feb 2013 09:49:33 +0000 (UTC) Received: by mail-la0-f52.google.com with SMTP id fs12so6600368lab.39 for ; Tue, 12 Feb 2013 01:49:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=G6WSKlakLiQbzguKScuFPmq36Z2EywumXCp3WdWNYiw=; b=BlKWRYw1RLBulmTb0jvTH+NcRbbznoeMSGGDWlTklNaDlb7zk0eG3TLnvYGyOEQYs6 dKJruJQURE6PiNICvWXEJuJTMh+2atRaD1flYmc7BQWvxPsh3dlmUjfYnrjXeAMP8lOR DDuNcPuMg6pk2I1zZeyRETuDEAEUKK0BJz8jq0zKzzhtlzJYCKP0srumNKk5nt5EpCnZ zwAnZdwK1bW/CtxN6WXuNQTNBDlfwBRAByMzTB0L7cwPR9JPoTIgF3qZJ/rJpnPYG11G NSS6hNy9gvuHrQZXQPLokzIyqNCjyp0Cf75THFPv6/eFiHPSqFBkuGesqnPXq5fqwEIR Iseg== MIME-Version: 1.0 X-Received: by 10.152.110.167 with SMTP id ib7mr10358410lab.22.1360662572691; Tue, 12 Feb 2013 01:49:32 -0800 (PST) Received: by 10.112.41.68 with HTTP; Tue, 12 Feb 2013 01:49:32 -0800 (PST) Date: Tue, 12 Feb 2013 17:49:32 +0800 Message-ID: Subject: Possible bug in NFSv4 with krb5p security? From: =?ISO-8859-1?Q?Elias_M=E5rtenson?= To: freebsd-current@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 09:49:34 -0000 First of all, I used the "bug" word in the subject, and I'm not doing that lightly. I fully understand that the initial reaction to such claim is "he did something wrong", and frankly, that's what I'm hoping. I've spent the last two weeks trying to get an NFS share working with krb5p security from a FreeBSD server to OSX and Ubuntu clients. I've followed all the documentation, read everything Google could find for me, asked on the IRC channel and even asked on Stackexchange, all to no avail. In all my reading, something struck me as odd: Nowhere did I find any indication that anyone has actually set this up on 9.1-CURRENT. After receiving zero replies on Stackexchange I started to think that perhaps this is actually a bug. Now, after all this talk, please let me explain what I've done. Most of this text is taken verbatim from my Stackexchange question here: http://serverfault.com/questions/477118/permissions-are-not-taking-effect-with-kerberised-nfsv4-on-freebsd Problem summary =============== My goal is to achieve the following: - Files served from the FreeBSD system - The only security model should be krb5p - Clients are Linux (Ubuntu) and OSX The problem that I'm facing is that even though the Kerberos authentication works, all accesses are performed using the user "nobody". I can see the permissions when I do "ls -l". Even the user mapping works correctly, but unless "nobody" has permission to do anything with the files, I get a permission denied. Here's an example interaction from the client (Ubuntu in this case, but the same thing happens from OSX). In this example, /export/shared/testshare is the shared directory from the FreeBSD server: (I have changed the actual domain name to `domain` and the Kerberos realm name to `REALM`) $ kinit Password for elias@REALM: $ klist Ticket cache: FILE:/tmp/krb5cc_1000_GBjtDP Default principal: elias@REALM Valid starting Expires Service principal 09/02/2013 09:40:47 10/02/2013 09:40:44 krbtgt/REALM@REALM $ sudo mount -t nfs4 -osec=krb5p,vers=4 lion:/export/shared/testshare /mnt $ ls -l /mnt total 4 -rw-r--r-- 1 nobody nogroup 5 Feb 7 18:17 bar.txt -rw------- 1 elias nogroup 4 Feb 5 23:09 foo.txt $ cat /mnt/bar.txt blah $ echo foo >>/mnt/bar.txt bash: /mnt/bar.txt: Permission denied $ cat /mnt/foo.txt cat: /mnt/foo.txt: Permission denied $ klist Ticket cache: FILE:/tmp/krb5cc_1000_GBjtDP Default principal: elias@REALM Valid starting Expires Service principal 09/02/2013 09:40:47 10/02/2013 09:40:44 krbtgt/REALM@REALM 09/02/2013 09:41:56 10/02/2013 09:40:44 nfs/lion.domain@REALM Server configuration ==================== I have had quite some problems in finding a comprehensive guide to setting up NFSv4 on FreeBSD. This is somewhat surprising in itself as I have found that information on how to do things in FreeBSD to be very good. Here are the relevant lines in /etc/rc.conf: rpcbind_enable="YES" nfs_server_enable="YES" nfsv4_server_enable="YES" nfsuserd_enable="YES" nfscbd_enable="YES" mountd_enable="YES" gssd_enable="YES" rpc_lockd_enable="YES" rpc_statd_enable="YES" zfs_enable="YES" Here is the content of /etc/exports: /export/shared/testshare -sec=krb5p V4: / -sec=krb5p Another interesting aspect is that when I used `tcpdump` to record the NFS network traffic between the client and the server, I saw NFS3 packets together with the NFS4 packets. Both of these packet types contained encrypted data, so I still think Kerberos was used, but given the configuration above, I would have expected there to be nothing but NFS4 traffic. If anyone is able to confirm whether or not this actually has been tested in 9.1-CURRENT, I'd appreciate it. Also, if not, then I'd love to know where I should start looking for a solution. I'm experienced in system level programming (having worked on Solaris at Sun in a previous life), but a pointer where to start would be helpful. Thanks and regards, Elias