Date: Thu, 7 Feb 2013 19:07:22 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Janusz Bulik <januszbulik@googlemail.com> Cc: freebsd-stable@freebsd.org Subject: Re: NFSv4 + Kerberos permission denied Message-ID: <332773957.2815149.1360282042526.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <CAMFg4WvJrzT7KB-4W_JnHH9CcPiK%2BcWHp6KJPEZg=-K2Cb-QzQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Janusz Bulik wrote: > Hello, > I've got a little problem with NFSv4 + Kerberos. I can do a mount with > Kerberos with a valid ticket, but read-only. > After the mount -vvv -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test/ > I can see: > > #klist: > Feb 6 07:22:47 Feb 6 17:22:43 nfs/nfsserver@my.domain > > #/var/heimdal/kdc.log: > 2013-02-06T07:28:26 TGS-REQ clientnfs@my.domain from IPv4:192.168.0.23 > for nfs/nfsserver@my.domain > > tcpdump: > 14:59:36.140272 IP nfsclient.61011 > 192.168.0.21.kerberos-sec: > 14:59:36.142301 IP 192.168.0.21.kerberos-sec > nfsclient.61011: > > I got "Permission denied" message when I try to mkdir or rm. As a root > mount and as a user mount (sysctl vfs.usermounts=1). > With -sec=sys it works read-write, but with -sec=krb5 read-only.. > Did you successfully read files under /mount_test? (I suspect no access would be closer to the truth than read-only, unless the non-root user with a valid TGT only has read access. Although I think it is technically possible to do so, typically "root" does not exist in a KDC as a user principal and, as such, "root" cannot do a kinit to get a TGT and that means "no access" to the kerberized mount point.) > my /etc/exports: > V4: /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 > /export_test -sec=krb5:krb5i:krb5p -network 192.168.0.0 -mask > 255.255.255.0 -maproot=root -alldirs > > tried with V4: / .... as well. > Added all the principals needed. > Tried also with full qualified domain names. > SSH works fine with Kerberos > > > Do I need rpcsec_gss.patch? (according to > http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup) > or can I make it work somehow else? > > I used FreeBSD-9.1-RELEASE-i386-disc1 > and > FreeBSD-10.0-CURRENT-i386-20130202-r246254-release > Well, without the patch, the only kind of NFSv4 kerberized mount that will work is (NFSv3 is a different story): # sysctl vfs.usermount=1 - logged in as non-root user that has kinit'd and, therefore, has a valid TGT % mount -t nfs -o nfsv4,sec=krb5 nfsserver:/ /mount_test - then this user (or any other non-root user with a valid TGT) should be able to access /mount_test with whatever permissions the server has on the directories. (ie. If these users are supposed to create files/directories under /export_test, they will need write access to /export_test.) Note that "root" does not normally have any access to a kerberized mount point, since the KDC doesn't normally have a user principal for "root", as above. This mount will only work as long as the non-root user that did the mount holds a valid TGT. - To do an NFSv4 kerberized mount as root (which will keep working until unmount), you need to patch the system so that it can use a host based credential in the default keytab file as an initiator credential. If you use current/10.0 sources, I have a better patch to do this. It is at: http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator.patch After applying the patch, you need to build both the kernel and the gssd daemon from sources. You do not need to set the sysctl to the correct encryption type for the keytab entry to get it to work. After putting an entry in the client's /etc/keytab, rebooting the patched kernel with the rebuilt gssd daemon running on it, the mount looks like: # mount -t nfs -o nfsv4,sec=krb5,gssname=nfs nfsserver:/ /mount_test (Assuming that the keytab entry is for nfs/client-host.domain@YOUR_REALM.) This mount will still not give "root" access to the file system, for the same reasons as above, but can be done by "root" and doesn't need any valid TGT to keep working. At this time, there is no way to give "root" access to a kerberized mount unless you put a user principal for "root" (root@YOUR_REALM) in you KDC and then do a kinit when logged in as root. (This is not recommended from a security point of view.) If you can't get things to work: - try and use des-cbc-crc encryption for the keytab entries (you can try other ones after you have it working, so long as they result in an 8byte session key) - make sure the gssd is working on both client and server (it has to be running before the nfsd is started on the server) - check /var/log/messages for any messages from the gssd - check the log file on your KDC for hints of problems - capture packets of the mount and look at them in wireshark (use something like a "host" filter, so you get more than the NFS packets) Good luck with it, rick > -- > Greets > Janusz > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?332773957.2815149.1360282042526.JavaMail.root>