gssd can't work as nfs client with -h flag (PNFS+KRB)

spmzt

spmzt

Hi,

I have setup a PNFS server (NFSv4 only) with kerberos (heimdal) and I have a problem with gssd.
I want to use kerberos on PNFS MDS as a NFS client to its PNFS DSs and as a NFS Server to its NFS clients which is connect to the PNFS MDS itself.

But let's break down the problem. I can not use gssd with -h flag AND work with a NFS share with kerberos ticket (-sec=krb5i:krb5p).

on the NFS Client (or technically the PNFS MDS):
/etc/rc.conf
Code: 
...
nfsuserd_enable="YES"
gssd_enable="YES"
gssd_flags="-h"
nfs_client_enable="YES"
...

When I mount the NFS share I can not work with its directory:
Code: 
client:~ #mount_nfs -o vers=4,nfsv4,minorversion=2,sec=krb5p,gssname=host server.domain.net:/ /storage/ds/
client:~ #touch /storage/ds/ds0/test123
touch: /storage/ds/ds0/test123: Permission denied

But without the -h flag it works perfectly and my clients can connect to the PNFS MDS with AUTH_SYS and my PNFS MDS can connect to the PNFS DS with krb5p

Any Ideas?
 
Did you register the host in Kerberos? Not sure which SPN it might need, NFS typically uses a nfs/<hostname> SPN. Check klist -k on the 'client'.
 
By looking at
forums.freebsd.org

Solved - ERR 20: Auth Credentials are too weak (NFSv4 + KRB5)

Hi, I want to share a directory with NFSv4 + Kerberos. Here is my configuration: NFS Server: (also tested with -alldirs before and yes I want to use the krb5p) /etc/exports V4: /tank/ds -sec=krb5p client.domain.net /tank/ds -sec=krb5p -maproot=root client.domain.net Also /etc/rc.conf ...
forums.freebsd.org forums.freebsd.org

This seems weird, it looks like the client is only the NFS server
In my configuration I have after kinit plus mounting with nfs
Code: 
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: username@LOCAL
    Cache version: 4

Server: krbtgt/LOCAL@LOCAL
Client: username@LOCAL
...
Server: nfs/server-nfs.local@LOCAL
Client: username@LOCAL
...

In my case there is 3 distinct computer: a KDC, an NFS server, and a client.
 
SirDice said:
Did you register the host in Kerberos? Not sure which SPN it might need, NFS typically uses a nfs/<hostname> SPN. Check klist -k on the 'client'.
Click to expand...
Yes, I have the host/ AND nfs/ prefix both in the /etc/krb5.keytab file.

I can connect with both tickets from client by initiating this command below:
kinit -k host/client.domain.net
OR
kinit -k nfs/client.domain.net
 
You must log in or register to reply here.
Back
Top