Project

General

Profile

Bug #34744

Add -sec=sys to NFS when using Kerberos keytabs

Added by Mark Guzman about 1 year ago. Updated 12 months ago.

Status:
Done
Priority:
No priority
Assignee:
Vladimir Vinogradenko
Category:
Middleware
Target version:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I tried switching to the nightly builds and upon rebooting found two issues.

1) the stored config reported a network/host conflict for any export with a host restriction:
Jun 9 21:08:34 freenas mountd3295: network/host conflict
Jun 9 21:08:34 freenas mountd3295: bad exports list line '/mnt/ark/web -maproot'

2) resolving the host restriction error did not result in functional nfs. no clients were able to interact with the system.
no errors were reported on the freenas side.

switching back to 11.1u4 brought things back to normal. I will setup a VM for further testing.

Associated revisions

Revision e4521762 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(nfs): add -sec=sys if we have kerberos keytabs

It was lost when porting sh -> python

Ticket: #34744

Revision 5ea1d589 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(nfs): Fix invalid syntax for multiple networks

Ticket: #34744

Revision f3fedd84 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(nfs): add -sec=sys if we have kerberos keytabs

It was lost when porting sh -> python

Ticket: #34744

Revision 9c2851e0 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(nfs): Fix invalid syntax for multiple networks

Ticket: #34744

History

#1 Updated by Dru Lavigne about 1 year ago

  • Status changed from Unscreened to Blocked
  • Private changed from No to Yes
  • Reason for Blocked set to Need additional information from Author

Mark: once you have a chance to test and reproduce, please attach a debug (System -> Advanced -> Save Debug) to this ticket.

#2 Updated by Mark Guzman about 1 year ago

Tried the latest nightly. Similar issues. I've got things working at this point but there were a few issues to work around. It all looks to stem from the exports file construction.
On first boot from a working 11.1u4:

Jun 16 02:16:32 freenas mountd[3064]: network/host conflict
Jun 16 02:16:32 freenas mountd[3064]: bad exports list line '/mnt/ark/homes -alldirs -maproot'

The file that leads to that looks like:

/mnt/ark/homes -alldirs -maproot="root":"wheel" -sec=sys -network 192.168.1.0/24 -network 10.0.1.0/24 -network 10.0.0.0/24 -network 192.168.14.0/24

Removing the network specs gets us further but I still can't mount from any nfsv4 clients. On linux clients I'm seeing error messages like:

NFS: state manager: check lease failed on NFSv4 server freenas with error 10016

According to the RFC this is telling the client we're not agreed on the security flavor

///  NFS4ERR_WRONGSEC       = 10016,/* wrong security flavor    */

Looking at the exports file I noticed

V4: / -sec=krb5:krb5i:krb5p

Changing that to
V4: / -sec=sys
has mounts working.

I've tried adding back the network restrictions but as soon as I add more than one I get the "network/host conflict" error. This holds when the networks are directly connected and the freenas host has addresses assigned on them.

It's functional now and I plan on leaving it running this way to get the recent nfsv4 leak fixes. Let me know if there's any other debugging I can/should do.

#3 Updated by Mark Guzman about 1 year ago

I had to reboot because of #31065 and I tried a few different things including removing the V4 line which did not work.

#4 Updated by Dru Lavigne about 1 year ago

Mark: please attach a debug to this ticket.

#5 Updated by Mark Guzman about 1 year ago

I just tried to do that and it resulted in a reboot (I assume due to #31065). I'll send along the crash dump shortly and maybe the config dump from freenas-debug. Running all of the outputs doesn't seem viable.

#6 Updated by Mark Guzman about 1 year ago

  • File fndebug-postboot-20180617.tgz added

I ran it post boot prior to editing the exports file so there were no nfs connections.

#7 Updated by Dru Lavigne about 1 year ago

  • Assignee changed from Release Council to Alexander Motin

Sasha: this may or may not be a dupe of 31065.

#8 Updated by Dru Lavigne about 1 year ago

  • Status changed from Blocked to Unscreened
  • Reason for Blocked deleted (Need additional information from Author)

#9 Updated by Mark Guzman about 1 year ago

This isn't related to #31065, I only reference it because that ticket causes crashes on this system. This looks to be limited to the code that generates /etc/exports and the addition of a default nfsv4 config line which supersedes and conflicts with the older nfsv3 definitions.

I'm not sure about the network mask behavior, at some point in the mountd history I think there was a limitation of one subnet mask.

#10 Updated by Mark Guzman about 1 year ago

Looking at the code I believe it's https://github.com/freenas/freenas/blob/7b9d1b84f90ecb8c3e7f6f47a657726e3e1698f5/src/middlewared/middlewared/etc_files/nfsd.py#L13
It looks like this was added about a month ago and assumes that anyone who has kerberos enabled for auth will want kerberized nfs.

#11 Updated by Alexander Motin about 1 year ago

  • Category changed from OS to Middleware
  • Assignee changed from Alexander Motin to Vladimir Vinogradenko

#12 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Unscreened to Ready for Testing

#13 Updated by Dru Lavigne about 1 year ago

  • Needs Merging changed from Yes to No

#14 Updated by Dru Lavigne about 1 year ago

  • File deleted (fndebug-postboot-20180617.tgz)

#15 Updated by Dru Lavigne about 1 year ago

  • Subject changed from nfs non-functional in nightlies to Add -sec=sys to NFS if when using Kerberos keytabs
  • Needs Doc changed from Yes to No

#16 Updated by Dru Lavigne about 1 year ago

  • Private changed from Yes to No

#17 Updated by Alexander Motin about 1 year ago

I suspect that the patch could fix only the second part of the report, while multiple network may still be broken, since there was a behavior change while porting the code to middlewared, and I suspect that the new one is broken.

#18 Updated by Dru Lavigne about 1 year ago

Master PR for additional fix: https://github.com/freenas/freenas/pull/1398

#19 Updated by Dru Lavigne about 1 year ago

  • Target version changed from Backlog to 11.2-BETA1
  • Seen in changed from 11.2-BETA1 to Master - FreeNAS Nightlies

#20 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Add -sec=sys to NFS if when using Kerberos keytabs to Add -sec=sys to NFS when using Kerberos keytabs

#21 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready for Testing to Done

Also available in: Atom PDF