Solved ERR 20: Auth Credentials are too weak (NFSv4 + KRB5)

[spmzt]

Hi,

I want to share a directory with NFSv4 + Kerberos.
Here is my configuration:
NFS Server: (also tested with -alldirs before and yes I want to use the krb5p)
/etc/exports
V4: /tank/ds -sec=krb5p client.domain.net
/tank/ds -sec=krb5p -maproot=root client.domain.net

Also /etc/rc.conf
...
nfsuserd_enable="YES"
gssd_enable="YES"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
mountd_enable="YES"


kinit -k nfs/server.domain.net successfully exited and returns 0. I can confirm it with klist

NFS Client:
/etc/rc.conf
...
nfsuserd_enable="YES"
gssd_enable="YES"
nfs_client_enable="YES"
nfscbd_enable="YES"


I have kerberos keytab on this host with *host/* prefix and I can mount the nfs mountpoint (I can confirm it with mount:
mount_nfs -o nfsv4,minorversion=2,gssname=host,sec=krb5p server.domain.net:/ /storage/ds/

But I can not work with the /storage/ds directory and I get the *Permission Error*:
# ls /storage/ds/
ls: /storage/ds/: Permission denied


For test, I changed the modes of the directory to 777 on the NFS server-side, But nothing changes and I still have the same permission error.

Here is my tcpdump results:
server.domain.net.nfsd > client.domain.net.rndc: Flags [P.], cksum 0x80a9 (incorrect -> 0x86cd), seq 2153:2177, ack 2733, win 29128, options [nop,nop,TS val 819636879 ecr 534231837], length 24: NFS reply xid 1805467811 reply ERR 20: Auth Credentials are too weak


Any Idea?

Update:

# zfs get sharenfs
NAME PROPERTY VALUE SOURCE
tank sharenfs on local
tank/ds sharenfs on local


 

[monwarez]

Does /tank/ds is a full path ? (i.e not a symlink).

 

[spmzt]

Does /tank/ds is a full path ? (i.e not a symlink).

Yes

 

[covacat]

anything in syslog on the server ?

 

[spmzt]

anything in syslog on the server ?

Unfortunately, Nothing related. Neither server nor client.

 

[monwarez]

What version of FreeBSD are you using ? Maybe it is an issue with which algorithm is used to generate the kerberos ticket.

 

[spmzt]

Both hosts are same:
# freebsd-version -ku
13.1-RELEASE
13.1-RELEASE


 

[T-Daemon]

/etc/exports

 V4: /tank/ds -sec=krb5p client.domain.net
/tank/ds -sec=krb5p -maproot=root client.domain.net

Update:

# zfs get sharenfs
NAME PROPERTY VALUE SOURCE
tank sharenfs on local
tank/ds sharenfs on local

If you have a /etc/exports file then you don't need a ZFS sharenfs option set, and if set, here the "sharenfs" option Kerberos credential flavor "krb5p" is missing. See zfspropts(7) sharenfs=on|off|opts.

I have kerberos keytab on this host

If this is Heimdal kerberos then the reason why the NFS mount with Kerberos credentials are getting "permission denied" is, it seems kerberized NFSv4 on FreeBSD is broken, with tickets created with Heimdal Kerberos from base or port crypto/heimdal. I've done testings, hours of testing, until I got fed up, after guide https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt .

See discussions:

Kerberized NFSv4 -> NFS over TLS on 13.0

Has anyone got a good reference for how to set up krb5p security? I've got NFSv4 running fine without security, but that kerberos setup has been a major pain in the neck. There doesn't seem to be much logging going on, no matter how much -d or -h's I use. It appears, Wireshark is my only utility...

forums.freebsd.org

Solved - NFSv3/NFSv4, mounting, permissions, NFSv4 man-page, and more

Greetings all, after discovering that the vaunted FreeBSD handbook is obsolete regarding NFS, I did some reading, and I though that I was able to figure out, how to set NFS sharing. To start, I enabled read and write access on the entire XXX.XXX.XXX.XXX/24 sub-net for a pool and a filesystem...

forums.freebsd.org

I read somewhere, I believe in the FreeBSD mailing lists, kerberized NFS with tickets created with MIT Kerberos V5 work, but never tried it myself.

securtity/krb5-118
securtity/krb5-119
securtity/krb5-120
securtity/krb5-devel

 

[spmzt]

If you have a /etc/exports file then you don't need a ZFS sharenfs option set, and if set, here the "sharenfs" option Kerberos credential flavor "krb5p" is missing. See zfspropts(7) sharenfs=on|off|opts.


If this is Heimdal kerberos then the reason why the NFS mount with Kerberos credentials are getting "permission denied" is, it seems kerberized NFSv4 on FreeBSD NFSv4 is broken, with tickets created with Heimdal Kerberos from base or port crypto/heimdal. I've done testings, hours of testing, until I got fed up, after guide https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt .

See discussions:

Kerberized NFSv4 -> NFS over TLS on 13.0

Has anyone got a good reference for how to set up krb5p security? I've got NFSv4 running fine without security, but that kerberos setup has been a major pain in the neck. There doesn't seem to be much logging going on, no matter how much -d or -h's I use. It appears, Wireshark is my only utility...

forums.freebsd.org

Solved - NFSv3/NFSv4, mounting, permissions, NFSv4 man-page, and more

Greetings all, after discovering that the vaunted FreeBSD handbook is obsolete regarding NFS, I did some reading, and I though that I was able to figure out, how to set NFS sharing. To start, I enabled read and write access on the entire XXX.XXX.XXX.XXX/24 sub-net for a pool and a filesystem...

forums.freebsd.org

I read somewhere, I believe in the FreeBSD mailing lists, kerberized NFS with tickets created with MIT Kerberos V5 work, but never tried it myself.

securtity/krb5-118
securtity/krb5-119
securtity/krb5-120
securtity/krb5-devel

NFS sharing using ZFS and/or /etc/exports

Hello, Being very new to FreeBSD, and moving from Linux, I am getting a bit confused as to how it is best to create a NFS share on my FreeBSD server. I am running FreeBSD 10.1 on ZFS and have created a dataset that I want to share called zroot/Media. I set a mountpoint for my dataset: # zfs set...

forums.freebsd.org

Found this thread and remove the sharenfs on ZFS and I still getting the same error.

Also yes, I am using Heimdal.
Let me check your threads.

 

[monwarez]

What is the ticket etype ? klist -v
Are you using the version in base for heimdal ?

 

[spmzt]

What is the ticket etype ? klist -v
Are you using the version in base for heimdal ?

Credentials cache: FILE:/tmp/krb5cc_0
Principal: nfs/server.domain.net@DOMAIN.NET
Cache version: 4

Server: krbtgt/DOMAIN.NET@DOMAIN.NET
Client: nfs/server.domain.net@DOMAIN.NET
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 344
Auth time: Dec 4 20:39:35 2022
End time: Dec 5 06:39:35 2022
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

And etype for nfs/client.

 

[spmzt]

After reading the whole thread below, I decided to move my whole /etc/exports configuration to zfs sharenfs.

Solved - NFSv3/NFSv4, mounting, permissions, NFSv4 man-page, and more

Hi I don't think so. I do not know if that means that you agree with me or disagree. :( Probably disagree based on the following text: The V4: line does not export any filesystems. You still need an additional line in the exports file, even with V4:, and you can set permissions as you see...

forums.freebsd.org

On the server-side:
/etc/exports
V4: /tank/ds
And here is the sharenfs output:
zfs set sharenfs=on,maproot=root,sec=krb5p,client.domain.net
zfs get sharenfs
NAME PROPERTY VALUE SOURCE
tank sharenfs off local
tank/ds sharenfs on,maproot=root,sec=krb5p,client.domain.net local


But I got this line on /var/log/messages:
... mountd[19035]: bad exports list line '/tank/ds on -maproot': no valid entries

Any Idea?

 

[monwarez]

What is the content of /etc/zfs/exports ?

 

[spmzt]

What is the content of /etc/zfs/exports ?

# cat /etc/zfs/exports
# !!! DO NOT EDIT THIS FILE MANUALLY !!!

/tank/ds on -maproot=root -sec=krb5p client.domain.net


 

[monwarez]

I did a simple test to use nfs sharenfs property, followed by a zfs share the/dataset
And I don't have a /etc/exports .
So I guess the first issue is the existence of this files.

 

[spmzt]

I did a simple test to use nfs sharenfs property, followed by a zfs share the/dataset And I don't have a /etc/exports . So I guess the first issue is the existence of this files.

I also test it without including kerberos and host/subnet flags and it works.
Based on previous thread that I mentioned before I think the existence of the file should not be a problem, If only the "V4: " line included

 

[T-Daemon]

And here is the sharenfs output:
zfs set sharenfs=on,maproot=root,sec=krb5p,client.domain.net
...
But I got this line on /var/log/messages:
... mountd[19035]: bad exports list line '/tank/ds on -maproot': no valid entries

Probably a IP resolve issue, which is affecting all other 'sharenfs' options. Execute grep mountd /var/log/messages | tail, look for "address info for client.domain.net".

Then remove client.domain.net.

I think the existence of the file [/etc/expors] should not be a problem, If only the "V4: " line included

That's correct.

 

[spmzt]

Probably a IP resolve issue, which is affecting all other 'sharenfs' options. Execute grep mountd /var/log/messages | tail, look for "address info for client.domain.net".

Then remove client.domain.net.


That's correct.

I can resolve it on the nfs server/client and nothing changes by removing the client from sharenfs:
# zfs get sharenfs -r tank/ds
cannot open '-r': dataset does not exist
NAME PROPERTY VALUE SOURCE
tank/ds sharenfs on,maproot=root,sec=krb5p local


I still getting the same error:
# tail -n3 /var/log/messages
Dec 5 ... client mountd[19035]: can't get address info for host on
Dec 5 ... client mountd[19035]: bad host on, skipping
Dec 5 ... client mountd[19035]: bad exports list line '/tank/ds on -maproot': no valid entries


 

[monwarez]

Maybe you need to remove the on in the sharenfs property ? I guess it is on to mean to activate with default parameter, and then if you have non default parameter, you replace on by those parameters ?

 

[covacat]

i tried a similar setup and it works
i used this document https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt and https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt
i get the same error if the user that does the ls command does not have ticket
the nfs client host and the user accessing the share both need to be in kdc

[root@hpbsd /usr/home/meuser]# mount -t nfs -o nfsv4,sec=krb5p,gssname=host linsux.domain.local:/ /extra
[root@hpbsd /usr/home/meuser]# ls /extra/
ls: /extra/: Permission denied
[root@hpbsd /usr/home/meuser]#
exit
[meuser@hpbsd ~]$ id
uid=1001(meuser) gid=1001(meuser) groups=1001(meuser),0(wheel),44(video),68(dialer)
[meuser@hpbsd ~]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: meuser@DOMAIN.LOCAL
    Cache version: 4
  KDC time offset: 6 minutes 51 seconds

Server: krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
Client: meuser@DOMAIN.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 322
Auth time:  Dec  5 08:45:04 2022
End time:   Dec  5 18:38:13 2022
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

Server: nfs/linsux.domain.local@DOMAIN.LOCAL
Client: meuser@DOMAIN.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 348
Auth time:  Dec  5 08:45:04 2022
Start time: Dec  5 08:45:08 2022
End time:   Dec  5 18:38:13 2022
Ticket flags: transited-policy-checked, pre-authent
Addresses: addressless

[meuser@hpbsd ~]$ ls /extra/
e        hq        includes    p
[meuser@hpbsd ~]$

this /etc/exports on linsux (nfs server)

/extra/wwwroot -sec=krb5p -network=10.1.1.0/24
V4: /extra/wwwroot -sec=krb5p -network=10.1.1.0/24
client and server are both freebsd 13.1 amd64 (ignore the misleading hostname

 

[spmzt]

Seems like I am getting a new error here.

1. I removed the "-h" flag from the gssd service on the nfs client. (Now I can mount.)
2. Then I got the Permission Error from the nfs mounted directory (which is "ERR 20: Auth Credentials are too weak" on tcpdump, Suddenly by running the kinit -k ... command, my Permission Error gone.
3. Now I still can not see my files on NFS mountpoint and creating files on the nfs mounted directory gives me the "touch: /storage/ds/gfdsfsdfg: Input/output error".

 

[Jose]

i tried a similar setup and it works
i used this document https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt and https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txthttps://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt

That's the same link twice. Would you mind posting exactly what you did? I tried, and like T-Daemon could not get it to work.

 

[covacat]

Seems like I am getting a new error here.

1. I removed the "-h" flag from the gssd service on the nfs client. (Now I can mount.)
2. Then I got the Permission Error from the nfs mounted directory (which is "ERR 20: Auth Credentials are too weak" on tcpdump, Suddenly by running the kinit -k ... command, my Permission Error gone.
3. Now I still can not see my files on NFS mountpoint and creating files on the nfs mounted directory gives me the "touch: /storage/ds/gfdsfsdfg: Input/output error".

i got that too
the problem is that your client can't traverse server mountpoints
export every volume separately

 

[covacat]

That's the same link twice. Would you mind posting exactly what you did? I tried, and like T-Daemon could not get it to work.

the other was https://wiki.freebsd.org/KerberizedNFS
and also handbook docs on kerberos

i did setup kerberos and just mostly pasted from the people.freebsd.org link
i had functional forward-reverse dns
my nfs server box is the same as kdc box
in fact spmzt's setup is the same as mine. his problem was that the user accessing the mount did not have a ticket

 

[spmzt]

Somehow I make it work.
with these configuration:
/etc/rc.conf:
...
gssd_enable="YES"
gssd_flags="-h"
nfsuserd_enable="YES"
nfs_server_enable="YES"
nfsv4_server_only="YES"
nfs_server_flags="-t -n 32"


/etc/exports:
V4: /tank/ds -sec=krb5p -network *.*.*.0/24


And:
# zfs get sharenfs tank/ds
NAME PROPERTY VALUE SOURCE
tank/ds sharenfs sec=krb5p local


Plus previous configuration on the client.
But my nfs client works with *nobody* permission.
# touch /storage/ds/ds0/test2
root@client:~ # ls -ltrha /storage/ds/ds0
total 20
drwxr-xr-x 22 root wheel 22B Dec 3 21:02 ..
-r--r--r--+ 1 nobody wheel 0B Dec 5 21:01 test