I have had a jailed kerberized nfsv4 server running flawlessly on the FBSD 14.x (latest being 14.3) for quite a few months. Since I upgraded both the host and jail to 15.0 mounts fail on my linux clients with a "Permission denied" error.
I have checked the kerberos keytabs as well as the ticket caches and all seems in order. During my troubleshooting, I tried the same kerberized nfsv4 server configuration (same daemons running, same exports file, etc) on the host (not in jail) and the mounts work as expected. Starting gssd in verbose mode, I noticed no activity at all from the jailed server, but saw activity like getting user credentials, etc when running nfs on the host.
In looking at the source code for gssd, I noticed a change in strategy between 14.x and 15.0. The 14.x releases use a unix domain local socket for the upcalls from the gssapi kernel module while 15.0 uses a Netlink socket listening for multicast traffic.
I am wondering if I am missing a setting in my jail configuration to allow Netlink sockets and/or multicast traffic. In reading the man pages and doing Internet searches, I have not been able to identify setting that would help. I have tried multiple jail setting such as allow.raw_sockets and nothing has solved the issue. As I am currently configured, gssd does not appear to be getting upcalls for kerberos authentication.
Any help would be greatly appreciated.
I have checked the kerberos keytabs as well as the ticket caches and all seems in order. During my troubleshooting, I tried the same kerberized nfsv4 server configuration (same daemons running, same exports file, etc) on the host (not in jail) and the mounts work as expected. Starting gssd in verbose mode, I noticed no activity at all from the jailed server, but saw activity like getting user credentials, etc when running nfs on the host.
In looking at the source code for gssd, I noticed a change in strategy between 14.x and 15.0. The 14.x releases use a unix domain local socket for the upcalls from the gssapi kernel module while 15.0 uses a Netlink socket listening for multicast traffic.
I am wondering if I am missing a setting in my jail configuration to allow Netlink sockets and/or multicast traffic. In reading the man pages and doing Internet searches, I have not been able to identify setting that would help. I have tried multiple jail setting such as allow.raw_sockets and nothing has solved the issue. As I am currently configured, gssd does not appear to be getting upcalls for kerberos authentication.
Any help would be greatly appreciated.
