From owner-freebsd-fs@freebsd.org Thu Oct 4 15:21:41 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAC4B10AEB1E for ; Thu, 4 Oct 2018 15:21:41 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660055.outbound.protection.outlook.com [40.107.66.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57B6D73F4A for ; Thu, 4 Oct 2018 15:21:41 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM (52.132.44.160) by YTOPR0101MB0906.CANPRD01.PROD.OUTLOOK.COM (52.132.43.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.18; Thu, 4 Oct 2018 15:21:39 +0000 Received: from YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM ([fe80::65af:417a:161f:f4eb]) by YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM ([fe80::65af:417a:161f:f4eb%3]) with mapi id 15.20.1207.021; Thu, 4 Oct 2018 15:21:39 +0000 From: Rick Macklem To: Felix Winterhalter , "freebsd-fs@freebsd.org" Subject: Re: NFSv4 Kerberos mount from Linux Thread-Topic: NFSv4 Kerberos mount from Linux Thread-Index: AQHUW9DS+OLl3kMYEUaTZ7pIOOpJR6UPKibn Date: Thu, 4 Oct 2018 15:21:39 +0000 Message-ID: References: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> In-Reply-To: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca; x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; YTOPR0101MB0906; 6:D7epXlhxvfCjTJs2Nx47NXeHjaiEcLvOa9IKLzEFfCJVxmWQniWLBkZ93kdJY6J47L6ZKTorJChMgUwsowTxITR+Z++ul2zDkYrlWwsnD5/2hNtqVxFgs5Iv5BRPy3rVwHJ+JsF+HP7pPVxt1HImPH62O+TcMiu7XQ8Booqx1StjwB2s2IjyYu0IxFMgoiDmaGxJQ3chEZ9eZxwR2+xT30DFPCOSgkYuAMl50aCZCfUY0kVibqUr1VMGvzv0n6sQ4r7PspsbCUWpc7zG1oYISoJEo/zZSSzM91/pqitGFX/qeCbgnhuW3SlFbw/KwjIDncRF/aVut3NZkJfHX/w+eSKBNBsa6O8Hccgcd3CQA9c/m30b/ympabN5CD6ISZamXMRnoC3/DVDzPHZgq9T2PFNDZQtIDtDfhQ8ama6hi4jCTHun7SRRTxZ4zZg0PXStwXmqYHxfbM1TE0LUDzg6vg==; 5:fVtZB5SuWOdppkZzkeeEplb5J/suFm2+8ekg1tI4xs9RgTJIUSlj9/ygV5xH93UWmA3yx7+m+Xp/gg5Ptl3BlxmGfX4oTqw10kx/AnzTUZa0UsMEU1UrJXjWjaBD6qXzdvrnMCCPtLR6SQQmedLCsbowT3fA5wSCXGL5BkneswY=; 7:zRAu54W26wlBCRxXqeYGaxnet9Rcd61wknSYYVUjjEPk6mgbEgqgs0HaFbXiKjbMAEY1BJAaVI5TL15wtJfDx6Qf7l7qua/bUxyWZKGKyRP4crB2taXjvlAWIcZR/iTGUnC2ZF1X8ISaTPAnYGDEw1D7TFicw1g378yy9s19fcZzWXBjFXlZDAd9AXdVNQ4SFvbwTZGmV4W2bSZAHfLiMrG31QV6i8jyaIZKyKY03u9Nc/aK3JQG9kv5q/MnkFmB x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 4502f850-e104-4d0a-cfd6-08d62a0d150a x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:YTOPR0101MB0906; x-ms-traffictypediagnostic: YTOPR0101MB0906: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(75325880899374); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(20161123560045)(20161123564045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(201708071742011)(7699051); SRVR:YTOPR0101MB0906; BCL:0; PCL:0; RULEID:; SRVR:YTOPR0101MB0906; x-forefront-prvs: 0815F8251E x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(39860400002)(396003)(136003)(53754006)(189003)(199004)(5660300001)(7696005)(46003)(86362001)(8936002)(76176011)(102836004)(2906002)(99286004)(81166006)(305945005)(8676002)(25786009)(786003)(316002)(551544002)(186003)(256004)(74482002)(81156014)(105586002)(2900100001)(110136005)(9686003)(446003)(106356001)(6246003)(71190400001)(6306002)(53936002)(74316002)(71200400001)(11346002)(14444005)(33656002)(476003)(68736007)(97736004)(229853002)(55016002)(6436002)(2501003)(478600001)(6506007)(14454004)(486006)(5250100002); DIR:OUT; SFP:1101; SCL:1; SRVR:YTOPR0101MB0906; H:YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-microsoft-antispam-message-info: N9Sk7EsC6vhvd41xxbb4K+M6wfiuoZwuFvIw6bQfNDXm0vjWHOwBjgH353y3KPm4KbeFIe5528nav4X7RhC0G0mQ+m1unp58XUK1aUY6ocJDxRfWZJGbBo2hBcNM2XfntlD6Sfjpch/Cr0APS3xM6qxrQib2nWcOZ29MPqXPMKYW3UHOZrSK2ZykmQ3HBqFYDQTa2nJVEsaRwuGqCJLZZJwBvcsP5U3mtA488TgXJgjeNy5ZG/P6OEjf4xqzpxCvAeTtAY8f6c7DPLz/2eckQHeyxPmdMr6fT9soLyOeOk+43SQJHEdxzx6AyxaUdDyyMkX3pOCazi9o4rTTK7YVqGLSvxXwKaQHyRDQCfrakQA= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 4502f850-e104-4d0a-cfd6-08d62a0d150a X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2018 15:21:39.4875 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB0906 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2018 15:21:42 -0000 Felix Winterhalter wrote: >Hello everyone, > >I've been trying to get a kerberized nfsv4 mount to work from a Debian >Stretch client to a FreeBSD 11.2 server. > >My export file looks like: > >V4: / -sec=3Dkrb5p clients > >/testexport -maproot=3Droot -sec=3Dkrb5p clients > Btw, if you only mounting "/testexport", you can specify the "V4:" as V4: /testexport -sec=3Dkrb5p clients and then the mount on the client uses "/" as the server mountpoint, like # mount -t nfs -o nfsvers=3D4 :/ /mnt (This avoids the server having to search for "testexport" in the "/" direct= ory during mounting and might avoid some problems when "/" isn't an exported file system. There are "hooks" in the FreeBSD server to make the search wo= rk, but I've never been 100% certain they will work for Kerberos and/or ZFS.) Btw, in case the Linux client is falling back on using AUTH_SYS at some poi= nt during the mount, you could try allowing both krb5 and auth_sys by setting "-sec=3Dsys,krb5,krb5i,krb5p" for both of the above lines. (I'd also sugges= t you try krb5 or krb5i until you get it working, since any packet traces are easier to decode, although once one krb5 variant works, they all should.) >I am now trying to mount this directory as root first without having to >deal with user keytabs or tickets. > >This works fine with -sec=3Dsys and nfsv4.1 and nfsv3 and -sec=3Dkrb5p. > This does not however work with nfsv4 and krb5p or any other krb5 flavor. Sorry, I'm not sure what you are saying here. Is it 1 - no version of NFS works for krb5p or 2 - NFSv4.1 works for krb5p, but NFSv4.0 does not or 3 - only nfsv3 works for krb5p If it #3, that is what I would expect. For NFSv4 (and NFSv4.1, I believe) t= o work a host based initiator credential is needed for the client host. The only w= ays I know of that you can get this is by - creating such an entry in your KDC and then putting a keytab entry for it= in the client or - on the FreeBSD client, doing the mount as a user after that user has done= a kinit. (There are mount options for this on FreeBSD and it also requires setting= the sysctl vfs.usermount to 1 so non-root can do mounts.) Since you are using a Li= nux client I have no idea how this might be done on Linux. I have no idea how the Linux server might allow an NFSv4 mount to work with= out Kerberos credentials for the "state maintaining operations" done by root (o= r the user doing the mount for the FreeBSD client)? - Maybe they allow these operations to be done via AUTH_SYS. To me, this wo= uld sound like a security hole, but I'm not a security guy... If you have #3, I know the FreeBSD server won't allow what you are trying t= o do. If you want to find out what the Linux server does to make it work, you cou= ld capture packets via tcpdump or similar and look at them in wireshark. (I'd suggest krb5 or krb5i for this, so that the packet data isn't encrypte= d, since it makes the wireshark decoding a lot more useful.) - If you get such a packet trace, you could email it to me and I can take a= look. (I am curious how a Linux server might make this work.) Most of the above only applies if you are experiencing #3, where NFSv3 work= s for krb5, but NFSv4 (and 4.1) does not. >The only errors we have been able to get is an error by gssd: > >gssd_pname_to_uid: failed major=3D0xd0000 minor=3D-1765328227 I can't remember what this means, but I think it is saying that the princip= al name didn't exist in the password database. (Maybe Linux has some "special" reserved principal name it uses for "state maintaining operations"?) >Searching for this error has lead us to an old entry in the mailing list: > >https://lists.freebsd.org/pipermail/freebsd-fs/2016-May/023132.html > >Which apparently has this problem unresolved with extremely similar >symptoms. > >Mounting from the Linux client to a similar Linux server under the same >KDC with nfsv4 krb5p works without any problem. > >Also access to the FreeBSD server with sshd and GSSAPI works fine. So >the keytab for the FreeBSD host seems to work fine. > >This is extremely frustrating as I have been at this problem for days >now without any real way to even debug the issue. Here's what I would do: 1 - Try an NFSv3 mount with krb5. (It wasn't obvious if you already have th= at working or not.) If that works, then... 2 - Try a mount from a FreeBSD client as a user, by doing # sysctl vfs.usermount=3D1 - login as non-root user and kinit - as this user, try a mount like % mount -t nfs -o nfsv4,sec=3Dkrb5 :/ /mnt 3 - If this works, then you probably need a hostbased client credential in = the keytab on the client. rick