Add -sec=sys to NFS when using Kerberos keytabs
I tried switching to the nightly builds and upon rebooting found two issues.
1) the stored config reported a network/host conflict for any export with a host restriction:
Jun 9 21:08:34 freenas mountd3295: network/host conflict
Jun 9 21:08:34 freenas mountd3295: bad exports list line '/mnt/ark/web -maproot'
2) resolving the host restriction error did not result in functional nfs. no clients were able to interact with the system.
no errors were reported on the freenas side.
switching back to 11.1u4 brought things back to normal. I will setup a VM for further testing.
#1 Updated by Dru Lavigne about 3 years ago
- Status changed from Unscreened to Blocked
- Private changed from No to Yes
- Reason for Blocked set to Need additional information from Author
Mark: once you have a chance to test and reproduce, please attach a debug (System -> Advanced -> Save Debug) to this ticket.
#2 Updated by Mark Guzman about 3 years ago
Tried the latest nightly. Similar issues. I've got things working at this point but there were a few issues to work around. It all looks to stem from the exports file construction.
On first boot from a working 11.1u4:
Jun 16 02:16:32 freenas mountd: network/host conflict Jun 16 02:16:32 freenas mountd: bad exports list line '/mnt/ark/homes -alldirs -maproot'
The file that leads to that looks like:
/mnt/ark/homes -alldirs -maproot="root":"wheel" -sec=sys -network 192.168.1.0/24 -network 10.0.1.0/24 -network 10.0.0.0/24 -network 192.168.14.0/24
Removing the network specs gets us further but I still can't mount from any nfsv4 clients. On linux clients I'm seeing error messages like:
NFS: state manager: check lease failed on NFSv4 server freenas with error 10016
According to the RFC this is telling the client we're not agreed on the security flavor
/// NFS4ERR_WRONGSEC = 10016,/* wrong security flavor */
Looking at the exports file I noticed
V4: / -sec=krb5:krb5i:krb5p
Changing that to
V4: / -sec=syshas mounts working.
I've tried adding back the network restrictions but as soon as I add more than one I get the "network/host conflict" error. This holds when the networks are directly connected and the freenas host has addresses assigned on them.
It's functional now and I plan on leaving it running this way to get the recent nfsv4 leak fixes. Let me know if there's any other debugging I can/should do.
#9 Updated by Mark Guzman almost 3 years ago
This isn't related to #31065, I only reference it because that ticket causes crashes on this system. This looks to be limited to the code that generates /etc/exports and the addition of a default nfsv4 config line which supersedes and conflicts with the older nfsv3 definitions.
I'm not sure about the network mask behavior, at some point in the mountd history I think there was a limitation of one subnet mask.
#10 Updated by Mark Guzman almost 3 years ago
Looking at the code I believe it's https://github.com/freenas/freenas/blob/7b9d1b84f90ecb8c3e7f6f47a657726e3e1698f5/src/middlewared/middlewared/etc_files/nfsd.py#L13
It looks like this was added about a month ago and assumes that anyone who has kerberos enabled for auth will want kerberized nfs.