cannot mount nfs share -o sec=krb5p

Chris Gorman chrisjohgorman at gmail.com
Tue May 23 20:30:15 EDT 2023 

Hello list,

I am trying to build a linux from scratch system with nfs4 and
kerberos.  Somewhere along the lines I have deviated from what distros
like arch linux have done as I can't mount an nfs share with anything
but -o sec=sys.  I have tried to follow arch's build scripts for
nfs-utils-2.6.3 and gssproxy-0.9.1.  Both are installed and working as
far as I can tell.  I may yet need to rebuild a package due to
circular dependencies.  I don't know if this is my problem, or if it
lies elsewhere.

I have successfully set up a krb5 server on one of my arch systems,
but want to have the service running on LFS.

So I have two machines at the moment, server and client at domain
example.com with realm EXAMPLE.COM.  The client is an arch linux
system and was the previous server.  I could get nfs shares mounted
when I had the arch system as the server.  I can no longer mount
shares as when using the LFS machine as the server.

I have tried turning on nfs debugging with rpcdebug and the attached
files are the relevant output from journalctl. The client's log is
attached as client.log and the server's log is server.log.  The logs
are logs of a mount call from the client to the server.

sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs

This call produces the following output.

mount.nfs4: mount(2): Permission denied
mount.nfs4: mount(2): Permission denied
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server.example.com:/home
mount.nfs4: timeout set for Tue May 23 19:03:05 2023
mount.nfs4: trying text-based options
'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
mount.nfs4: trying text-based options
'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2'
mount.nfs4: trying text-based options
'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'

My kerberos information follows

Client's krb5.conf
-----------------------
[libdefaults]
        default_realm = EXAMPLE.COM
        encrypt = true

[realms]
        EXAMPLE.COM = {
                admin_server = server.example.com
                kdc = server.example.com

                pkinit_anchors = FILE:/etc/krb5/cacert.pem
                pkinit_identity =
FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
        }

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[logging]
        kdc = SYSLOG:NOTICE
        admin_server = SYSLOG:NOTICE
        default = SYSLOG:NOTICE

Server's krb5.conf
------------------------
[libdefaults]
            default_realm = EXAMPLE.COM
            encrypt = true

[realms]
        EXAMPLE.COM = {
                admin_server = server.example.com
                kdc = server.example.com

                kdc_tcp_ports   = 88
                allow_pkinit    = yes
                pkinit_identity =
FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
                pkinit_anchors  = FILE:/var/lib/krb5kdc/cacert.pem
        }

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[logging]
        kdc = SYSLOG:NOTICE
        admin_server = SYSLOG:NOTICE
        default = SYSLOG:NOTICE

Server's kdc.conf
-----------------------
[kdcdefaults]
        kdc_listen = 88
        kdc_tcp_listen = 88
        spake_preauth_kdc_challenge = edwards25519

[realms]
        EXAMPLE.COM = {
                database_name = /var/lib/krb5kdc/principal
                acl_file = /var/lib/krb5kdc/kadm5.acl
                key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
                kdc_listen = 88
                kdc_tcp_listen = 88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
        }

Client's keytab
-------------------
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/server.example.com at EXAMPLE.COM
   3 host/server.example.com at EXAMPLE.COM
   3 nfs/server.example.com at EXAMPLE.COM
   3 nfs/server.example.com at EXAMPLE.COM
   3 nfs/client.example.com at EXAMPLE.COM
   3 nfs/client.example.com at EXAMPLE.COM

/etc/resolv.conf
--------------
domain example.com
nameserver 192.168.0.1
nameserver 8.8.8.8

/etc/hosts
-------------
127.0.0.1 localhost.localdomain localhost
::1       localhost ip6-localhost ip6-loopback
ff02::1   ip6-allnodes
ff02::2   ip6-allrouters

If someone has a moment, could you look at the logs and tell me if
anything jumps out at you as my problem?

Thanks in advance,

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.log
Type: text/x-log
Size: 2853 bytes
Desc: not available
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20230523/3fc53a55/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client.log
Type: text/x-log
Size: 18396 bytes
Desc: not available
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20230523/3fc53a55/attachment-0001.bin>

More information about the Kerberos mailing list