Project

General

Profile

Bug #7775

Can't get NFSv4/kerberos to work

Added by Eric Bledsoe over 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Josh Paetzel
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

As detailed here:
https://forums.freenas.org/index.php?threads/cant-get-nfs-v4-kerberos-to-work.26753/
I also could not get NFSv4/kerberos to work with either FreeBSD 9.3 or Linux (CentOS 7) clients.

I found a solution, probably not THE solution, but a solution. Also note that I was focusing solely on NFSv4 so this certainly may break something else.

Here are the three steps I took to make it work.

1)
In /etc/hosts comment out:

127.0.0.1   freenas freenas.example.com

This allows nfsd to register with gssd.

2)
Change /etc/exports from:

V4: /
/mnt/pool/test_krb5  -sec=krb5:krb5i:krb5p

To:

V4: / -sec=krb5:krb5i:krb5p
/mnt/pool/test_krb5  -sec=krb5:krb5i:krb5p

This allows SETCLIENTID opcodes to proceed.

3)
At a root prompt:

 service gssd stop
 service nfsd stop
 service mountd stop

 service gssd start
 service nfsd start  (this will also start mountd)

Mounts from both FreBSD and CentOS 7 now work, however the very first write to a file hangs for roughly 60 seconds. Certainly may be a config issue that I haven't discovered. However everything seems to work as expected on subsequent reads/writes.

Oh and this was seen in FreeNAS-9.3-STABLE-201501301837 however that wasn't an option in the dropdown (yet).

ix-nfsd (2.79 KB) ix-nfsd Josh Paetzel, 02/01/2015 08:25 AM

Associated revisions

Revision 8cd9e52e (diff)
Added by Josh Paetzel over 5 years ago

NFSv4 changes to allow working kerberized NFSv4. Ticket: #7775 Note that the export man page is just plain wrong, and because of this I'm not entirely sure the addition of a "require kerberos" checkbox is even needed. It's there to explicitly allow AUTH_SYS NFSv4, although even with out it it seems that if you allow AUTH_SYS to a specific share that will work. I will consult with Rick Macklem, but for the moment we *know* this works.

Revision cb9477b0 (diff)
Added by Josh Paetzel over 5 years ago

NFSv4 changes to allow working kerberized NFSv4. Ticket: #7775 Note that the export man page is just plain wrong, and because of this I'm not entirely sure the addition of a "require kerberos" checkbox is even needed. It's there to explicitly allow AUTH_SYS NFSv4, although even with out it it seems that if you allow AUTH_SYS to a specific share that will work. I will consult with Rick Macklem, but for the moment we *know* this works. (cherry picked from commit 8cd9e52e34db53294e0fc5432a91ecd3780ae20a)

History

#1 Updated by Eric Bledsoe over 5 years ago

Meant to say, in case it wasn't obvious, these changes were made on the FreeNAS box not the clients.

#2 Updated by Jordan Hubbard over 5 years ago

  • Assignee set to Josh Paetzel
  • Target version set to Unspecified

#3 Updated by Josh Paetzel over 5 years ago

  • Status changed from Unscreened to Screened

So you never started mountd? Wouldn't that break NFSv3?

#4 Updated by Eric Bledsoe over 5 years ago

Josh Paetzel wrote:

So you never started mountd? Wouldn't that break NFSv3?

"service nfsd start" also started mountd.

#5 Updated by Josh Paetzel over 5 years ago

Ok, I can see right now this is going to require some fairly major refactoring. The whole "NFSv4" checkbox in services -> NFS will need to go away. Instead there will need to be an NFSv4 share created.

A file called ix-nfsd creates /etc/exports. I've attached a cooked version of it, could you try installing it to /conf/base/etc/ix.rcd/ix-nfsd on your system and rebooting? The desired outcome is working NFSv4 after a reboot. (I think it should work, /etc/exports will get generated correctly before gssd or nfsd are started, so those shouldn't need to get restarted, and I think the /etc/hosts change is a red herring)

#6 Updated by Josh Paetzel over 5 years ago

  • Status changed from Screened to 15

#7 Updated by Eric Bledsoe over 5 years ago

That did create the correct /etc/exports file. After fixing /etc/hosts mounts work as expected.

The change to /etc/hosts is absolutely NOT a red herring, at least in my environment (may not be needed if the KDC is running on the FreeNAS box?). With that line left in both v3 or v4 krb5(x) mounts do NOT work. I found that by truss'ing either nfsd or gssd or both, can't remember for sure. When I saw that it opened /etc/hosts while nfsd was starting up I realized what was happening, at least partially. Also when the line is left uncommented in /etc/hosts on the console I see "nfsd: can't register svc name" when nfsd is starting.

I didn't think I had "All Directories" checked, it is now however. That may very well be a red herring.

#8 Updated by Jordan Hubbard over 5 years ago

  • Status changed from 15 to Screened

#9 Updated by Josh Paetzel over 5 years ago

  • Seen in changed from to

#10 Updated by Josh Paetzel over 5 years ago

Dru,

The screenshot for NFS Services has changed, I added a checkbox called Require Kerberos.

Eric,

Can you test tonight's nightly please?

#11 Updated by Josh Paetzel over 5 years ago

  • Status changed from Screened to Resolved

#12 Updated by Josh Paetzel over 5 years ago

  • Status changed from Resolved to 19

#13 Updated by Josh Paetzel over 5 years ago

  • Status changed from 19 to Ready For Release

#14 Updated by Jordan Hubbard over 5 years ago

  • Status changed from Ready For Release to Resolved

#15 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF