Kerberos nfsv4 with Linux server

[Tjure]

I am struggling to get a nfsv4 kerberos share on a linux server to mount on Freebsd 13 client. (The other way it worked.)

On Linux there are to option to specify a kerberos share:

1. /etc/exports on linserv:
   

   /nfs            *(rw,sec=krb5:krb5i:krb5p,async,fsid=0)
   /nfs/home       *(rw,sec=krb5:krb5i:krb5p,async,nohide,no_root_squash)

   Trying to mount this on FreeBSD13 ( bsdclient) with
   mount_nfs -o nfsv4,sec=krb5 linserv:/home /mnt/tmp yields:
   

   nfsv4 err=10016
   mount_nfs: /mnt/tmp: Input/output error

   i.e., NFSERR_WRONGSEC. So FreeBSD13 seems not to recognize the security-settings of the Linux server.
   
   
2. /etc/exports on linserv:
   

   /nfs            gss/krb5(rw,async,fsid=0)
   /nfs/home       gss/krb5(rw,async,nohide,no_root_squash)

   Using the same mount command as before yields just:
   

   mount_nfs: /mnt/tmp: Input/output error

I also inspected the output of gssd -h -d -v:

gssd_import_name: done major=0x0 minor=0
gssd_init_sec_context: done major=0xd0000 minor=2 uid=0
gssd_release_name: done major=0x0 minor=0

When I used the gssname-option, i.e., mount_nfs -o nfsv4,sec=krb5,gssname=host linserv:/home /mnt/tmp

gssd_import_name: done major=0x0 minor=0
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for host/bsdclient, kerberos ret=-1765328378
gssd_release_name: done major=0x0 minor=0

that aparently shows that the key is not found in krb5.keytab. (I also tried gssd -h -d -v -s /etc/krb5.keytab with the same result.)


I also tried different version of gssname, e.g. mount_nfs -o nfsv4,sec=krb5,gssname=host@bsdclient.samdom.com linserv:/home /mnt/tmp, but the error was similar:

gssd_import_name: done major=0x0 minor=0
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for host/bsdclient.samdom.com, kerberos ret=-1765328378
gssd_release_name: done major=0x0 minor=0

But ktutil list shows that the host-key is in krb5.keytab:

 1  aes256-cts-hmac-sha1-96  host/bsdclient.samdom.com@SAMDOM.COM
 1  aes128-cts-hmac-sha1-96  host/bsdclient.samdom.com@SAMDOM.COM
 1  arcfour-hmac-md5         host/bsdclient.samdom.com@SAMDOM.COM

Apart from a rpc.mountd[593]: failed authentication for IP 10.0.2.99 (i.e., the IP of bsdclient) I could find nothing on linserv.

I should add the that bsdclient also contains the samba AD server. And I can mount the share on linserv from any Linux machine with nfsv4-kerberos (using option 1 or 2).

Does anybody has an idea what goes wrong? Is it not possible to mount Linux kerberos nfsv4-shares on FreeBSD13?

In another post it is noted that kerberos nfsv4 is broken.

 

[zirias@]

I also tried different version of gssname, e.g. mount_nfs -o nfsv4,sec=krb5,gssname=host@bsdclient.samdom.com linserv:/home /mnt/tmp, but the error was similar:

gssd_import_name: done major=0x0 minor=0
gssd_acquire_cred: desired name for host based initiator cred major=0x0 minor=0
gssd_acquire_cred: using keytab entry for host/bsdclient.samdom.com, kerberos ret=-1765328378
gssd_release_name: done major=0x0 minor=0

An explicit domain name in gssname shouldn't be necessary if your hostname and DNS is set up correctly, so the system knows its FQDN ....

But apart from that, I ran into exactly the same issue with samba today. I tracked it down to samba never setting an UPN (userPrincipalName) on a computer account (which will be the account you need for the system-wide mount with gssname). You could directly use the machine account name (in your example probably BSDCLIENT$), but unfortunately, FreeBSD's mound_nfs doesn't seem to allow this, it will complete anything you give as gssname to an SPN (servicePrincipalName).

The solution: Manually edit the computer account on your domain controller with samba-tool computer edit bsdclient, and add a userPrincipalName property with the full principal name, including the realm.

See also: https://serverfault.com/a/606840

 

[Hiroo Ono]

How did you create the SPN with samba?
Does this mail in the samba users mailing list helps?

SAMBA — Re: GSSAPI authentication issue with samba as AD DC.

Samba: Re: GSSAPI authentication issue with samba as AD DC.

www.spinics.net

 

[zirias@]

How did you create the SPN with samba?
Does this mail in the samba users mailing list helps?

SAMBA — Re: GSSAPI authentication issue with samba as AD DC.

Samba: Re: GSSAPI authentication issue with samba as AD DC.

www.spinics.net

This will help with creating the SPN for the service (here, nfs), which isn't the OP's problem, the service seems to work fine.

The real issue is that just adding an SPN to an account with samba won't enable you to authenticate as this account using the SPN. And FreeBSD's mount_nfs wants to do exactly that (using a key for the SPN from the system-wide keytab) when using the gssname mount option.

What helps is setting the SPN you want to use as the UPN of the machine account, then you can authenticate (as the machine) using it.