1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Re: cannot mount nfs share -o sec=krb5p

    From Chris Gorman@21:1/5 to chrisjohgorman@gmail.com on Thu May 25 13:35:12 2023
    Hello Again,

    Please disregard this request for help as being persistent has allowed
    me to fix my problem. I needed to rebuild the following packages to
    get nfs mounting working.

    nfs-utils
    krb5
    gssproxy
    cyrus-sasl

    Once these were built to recognise each other, my problem disappeared.

    Thanks for your time.

    Chris

    On Tue, May 23, 2023 at 8:30 PM Chris Gorman <chrisjohgorman@gmail.com> wrote:

    Hello list,

    I am trying to build a linux from scratch system with nfs4 and
    kerberos. Somewhere along the lines I have deviated from what distros
    like arch linux have done as I can't mount an nfs share with anything
    but -o sec=sys. I have tried to follow arch's build scripts for nfs-utils-2.6.3 and gssproxy-0.9.1. Both are installed and working as
    far as I can tell. I may yet need to rebuild a package due to
    circular dependencies. I don't know if this is my problem, or if it
    lies elsewhere.

    I have successfully set up a krb5 server on one of my arch systems,
    but want to have the service running on LFS.

    So I have two machines at the moment, server and client at domain
    example.com with realm EXAMPLE.COM. The client is an arch linux
    system and was the previous server. I could get nfs shares mounted
    when I had the arch system as the server. I can no longer mount
    shares as when using the LFS machine as the server.

    I have tried turning on nfs debugging with rpcdebug and the attached
    files are the relevant output from journalctl. The client's log is
    attached as client.log and the server's log is server.log. The logs
    are logs of a mount call from the client to the server.

    sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs

    This call produces the following output.

    mount.nfs4: mount(2): Permission denied
    mount.nfs4: mount(2): Permission denied
    mount.nfs4: mount(2): Permission denied
    mount.nfs4: access denied by server while mounting server.example.com:/home mount.nfs4: timeout set for Tue May 23 19:03:05 2023
    mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
    mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2' mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'

    My kerberos information follows

    Client's krb5.conf
    -----------------------
    [libdefaults]
    default_realm = EXAMPLE.COM
    encrypt = true

    [realms]
    EXAMPLE.COM = {
    admin_server = server.example.com
    kdc = server.example.com

    pkinit_anchors = FILE:/etc/krb5/cacert.pem
    pkinit_identity = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
    }

    [domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

    [logging]
    kdc = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default = SYSLOG:NOTICE

    Server's krb5.conf
    ------------------------
    [libdefaults]
    default_realm = EXAMPLE.COM
    encrypt = true

    [realms]
    EXAMPLE.COM = {
    admin_server = server.example.com
    kdc = server.example.com

    kdc_tcp_ports = 88
    allow_pkinit = yes
    pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
    pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
    }

    [domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

    [logging]
    kdc = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default = SYSLOG:NOTICE

    Server's kdc.conf
    -----------------------
    [kdcdefaults]
    kdc_listen = 88
    kdc_tcp_listen = 88
    spake_preauth_kdc_challenge = edwards25519

    [realms]
    EXAMPLE.COM = {
    database_name = /var/lib/krb5kdc/principal
    acl_file = /var/lib/krb5kdc/kadm5.acl
    key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
    kdc_listen = 88
    kdc_tcp_listen = 88
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    }

    Client's keytab
    -------------------
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    3 host/server.example.com@EXAMPLE.COM
    3 host/server.example.com@EXAMPLE.COM
    3 nfs/server.example.com@EXAMPLE.COM
    3 nfs/server.example.com@EXAMPLE.COM
    3 nfs/client.example.com@EXAMPLE.COM
    3 nfs/client.example.com@EXAMPLE.COM

    /etc/resolv.conf
    --------------
    domain example.com
    nameserver 192.168.0.1
    nameserver 8.8.8.8

    /etc/hosts
    -------------
    127.0.0.1 localhost.localdomain localhost
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    If someone has a moment, could you look at the logs and tell me if
    anything jumps out at you as my problem?

    Thanks in advance,

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)