[Bug 270592] nfsv4 /etc/exports with -sec=krb5p gives permission denied

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 270592] nfsv4 /etc/exports with -sec=krb5p gives permission denied"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 02 Apr 2023 01:18:15 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270592

            Bug ID: 270592
           Summary: nfsv4 /etc/exports with -sec=krb5p gives permission
                    denied
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: me@svmhdvn.name

Testing environment:
* server: FreeBSD 13.1-RELEASE running KDC inside jail (MIT kerberos
security/krb5 from ports) and base NFSv4 server in the jailhost (nfs.my.domain)
* client: Alpine Linux edge with MIT kerberos (client.local)

I have setup Kerberos host principals correctly in each of the server and
client keytabs, and acquired a user principal ticket that corresponds to the
same user on both the client and server.

TESTS:

**Test #1**:

/etc/exports in the server:

V4: /nfshome -sec=krb5p
/nfshome -sec=krb5p

When mounting in the client:
# mount nfs.my.domain:/ /mnt
mount.nfs: access denied by server while mounting nfs.my.domain:/
mount: mounting nfs.my.domain:/ on /mnt failed: Permission denied

I can see in this test that on the server, gssd logs the correct principal->uid
mapping and the request is clearly coming through.

**Test #2**

/etc/exports in the server:

V4: /nfshome -sec=krb5p:krb5i
/nfshome -sec=krb5p:krb5i

When mounting in the client:
# mount nfs.my.domain:/ /mnt
#

The mount completes successfully and I am able to read/write files to the NFS
share. When I look at the mount information:

$ mount
[...]
nfs.my.domain:/ on /mnt type nfs4
(rw,nosuid,nodev,noexec,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.0.11,local_lock=none,addr=192.168.0.201)

It indicates a successful mount of -sec=krb5p

**Test #3**

/etc/exports in the server:

V4: /nfshome -sec=krb5i
/nfshome -sec=krb5i

When mounting in the client:
# mount nfs.my.domain:/ /mnt
#

The mount completes successfully and I am able to read/write files to the NFS
share. When I look at the mount information:

$ mount
[...]
nfs.my.domain:/ on /mnt type nfs4
(rw,nosuid,nodev,noexec,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5i,clientaddr=192.168.0.11,local_lock=none,addr=192.168.0.201)

It indicates a successful mount of -sec=krb5i

CONCLUSION:

I expect that when the server exports are listed as in Test #1, I should
successfully be able to mount as -sec=krb5p. Why am I getting "permission
denied" in this case, but not in Test #2?

-- 
You are receiving this mail because:
You are the assignee for the bug.