From nobody Sun Feb 06 21:20:50 2022 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 401BE19B2BA2 for ; Sun, 6 Feb 2022 21:20:58 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670066.outbound.protection.outlook.com [40.107.67.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JsMdP368Bz4cKn for ; Sun, 6 Feb 2022 21:20:57 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VCprQUh2cX3vOoLX3Ge5BsyfmvYVc1pmoeguTIBzTeKDwI+Vxx9mZ5K+7Z2ExmEbbWIFFhLIsqrU2ralruY0pwnqcPFLkeCsdkDhMmJ4CbZp4wJEE+VLSPIlXJXOhUWKepi6aqqoAXGdZQ9N5qas4psK1dFnNLr3ozuWInOaRosHgsGyFG0gGo49TigOfDpolfTL7wMOaaWNtZyE63WxptfXdrO4qMP/XFuNgSjSDIdpyyjux6wbyVQQHc4zHGYkTTV2yMJfOQOpkVs5r8XyNfmXIVZjw1MO+LEKTC4AKxVnkeSHp2sEhO53XqtsryslTQEt0Dyw8t7cHKW1M0xHaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u6j6AwCtEaAzvcH4fH/BC6VbhumD775ddMQN1gKtRTM=; b=Dr/mIksdNufeDRm0jRDqK8Mm9Bg+Sjt+niXfQfHHPSFWFiNu3KKu5r3jTxW+NfNrjwxKsqBQjmDe85COkjOw9tuCixGNknd3C/WhkoOiv+Ya7KzsY0swcxz1qlRntY8x68o3eLvvPqBXxaM6lb7m40gK4Hg/4htGJ2m4VzTf3pAs/7KVwfZVVfJDcy3E5l1Kp1t8p04gFQDNd5tYDMQyK5llvxbH14ahYlErK+Rs1YpDkBLBFHTESFmKDgwtH6lGgrNq0FMnChFy3QAZWlcOgWqfAs9vwCqvNE+zvw70aZTSeSs7EbpJfXLrD66RfcaWMGf0UswKphdcCBDtyKJoxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u6j6AwCtEaAzvcH4fH/BC6VbhumD775ddMQN1gKtRTM=; b=I5aKttehzfcT0GkyNH51yF7LIbeMnbpHhGZ+92HZL1FB3AhTzWmMS7HbtRkFYD/nkYN9N7C+HBLxbBQ+9+11KbJ5vaGhRC/TDOPaHRlmdsRlbvK+hnzVV1YFQVdDEht7VJGtzaL8FXhl3w3zb9SGuAB58kmvJBEhXy+sFYV0D7XA8P5gSlrsy67ub6JW20yw2neTc8yifKN6wSCQm9/i1a8SCO6OY1w6aqJRFIh61ftXBkJo8pyRChEntMTc1wY9AX+JkX6JMnxaS8rkQULZiZh9tHdLhEIrbTNR+L6lhgSko4OSrbXR8beC3+NygXzih92bv9DOjx/jUZtey+z3RQ== Received: from YT1PR01MB8777.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:c8::22) by YQBPR0101MB5638.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:31::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12; Sun, 6 Feb 2022 21:20:50 +0000 Received: from YT1PR01MB8777.CANPRD01.PROD.OUTLOOK.COM ([fe80::243f:4c6f:8ded:4b60]) by YT1PR01MB8777.CANPRD01.PROD.OUTLOOK.COM ([fe80::243f:4c6f:8ded:4b60%4]) with mapi id 15.20.4951.018; Sun, 6 Feb 2022 21:20:50 +0000 From: Rick Macklem To: Arno Thuber , "freebsd-fs@freebsd.org" Subject: Re: Kerberized NFSv4: wrong security flavor Thread-Topic: Kerberized NFSv4: wrong security flavor Thread-Index: AQHYG3i50D6qWfWfRk+bqYc+U6DGq6yHA96a Date: Sun, 6 Feb 2022 21:20:50 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: suggested_attachment_session_id: fe13801f-558d-1392-062d-60c728bcaa8c x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d2bf4e35-4ece-44af-04aa-08d9e9b68c8c x-ms-traffictypediagnostic: YQBPR0101MB5638:EE_ x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: hOta3imgpD2i9+Cf1afOuMCFp+h+1ZAMn9O6gFGeUz7F90QPqVJLZccW6D4syz31gi7fv3knEweAVa4bf2JRNUqe8dJBRz/SJ86pN2TDrG9ZYL1GzPZ9eNWKuOJZ4cXaAFO10CvCErlQa2BWXUXB2bJ2OpTo52B8eahsYrzVl1KFp6H2r/busyRMUmVoOYbjwzaK2DWG93yXHR1tzQz+lPkwnBI04JbEFL/WbHT6OXJNLN6huRYf6dDcM2b1NJssSmM91YjDmGTBYeJzFmB6J9Zxe0kjIEzdc3N3pDZcWTLAzGNIyE14Po0eTqJGsJdOwOb4xOSx9wp04h6SKP3yUQZqPWhdvYiLnopXW0XriDAyG3PsOFF/h3tzILeQNsW5QXR7okcJvxtXLB0O0dOkEE0jc1gytM8WDEv77fiDa/bnms80j3DFI2+OVmAtwmsnUPNZGArgpj3IpWvjXj1qdukkxqyhwoUKK5F5pdNqgabV0REo9yjR3viLyRTdQP1di1YHrcWHF+NAwQLa6+QKb9nU/fbOaAArs6jbyWURMkFBhg5z0IoK9btMGgGYNsq1T4OFfC75S9muW5BsmF0wf/oBxB2KrkvyG7odrlKuHv5SVUrE4MlUFSpVH2cUGkQ5AEk52KwjW6e3e9SNYFyHKdZ1x33CUMB6H/FJtQCpzCk/C2FDQ3uSh7LK6XOvviHAy/97HJhDmsRxEmjIeYf+JQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT1PR01MB8777.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230001)(366004)(122000001)(186003)(316002)(786003)(55016003)(83380400001)(110136005)(38100700002)(38070700005)(9686003)(15650500001)(33656002)(6506007)(66946007)(52536014)(86362001)(76116006)(71200400001)(66476007)(91956017)(508600001)(2906002)(7696005)(5660300002)(66556008)(66446008)(8676002)(64756008)(8936002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?26NjYOlsYsmarAKI+CNyEqrHvXebzUeM2ZGDjcFSSqFdYYaz+UEmMumjXb?= =?iso-8859-1?Q?Am8pWRKaCUv0ZXjWS5C9IDS0U0n8vxEHX7cQiuIsOPDqcMoGGvl0CZwnfa?= =?iso-8859-1?Q?TnSJKzn3A/4das21+OJORfvQDKcPFqA3NYM/bVCYRqv6wLdFOoZrOCt3/8?= =?iso-8859-1?Q?IQKh3FOh7O7b5rmNsp9vrZGK0TT1MwsfwtxwmexdbD3QPRC/dyzHWFQfT0?= =?iso-8859-1?Q?zy0Kk8sHPGw9udZgh6G/Q3OUc/gLJBE0AUF5J/imkd8c2wFiGSV/ARzgO2?= =?iso-8859-1?Q?401TlfhG1ArhfAEOKRh1HKUSuOACqR9KCAPZNJtICrEixlBf2PQuAEZnmJ?= =?iso-8859-1?Q?NECcNkMV8yXJOrzso2/2sGNV12gS3TwWnsQh3etkXcPKDzlqah8emDgA2b?= =?iso-8859-1?Q?EomAk9bOuOgdV3cHAWVvokzjWGxRjZnJidLHtkPJmRfpHD+ou2GDF2PFQq?= =?iso-8859-1?Q?SaHv5OOPyZTi2zadikC9WCWFahca7f/tRpUnfECXuNnzKkcDEvpYSLpM/M?= =?iso-8859-1?Q?AtaDYlGs56+oEykFsrPa2VxW6sLEsKqrez7HIC7jmHKln2EtqkyB5C3D/T?= =?iso-8859-1?Q?A90C7iyJeC3W6/GjG3uhrSU/Acjt+ylUUOCYK/ytdKlei9cY37eiSiVAcB?= =?iso-8859-1?Q?nRn5j8MNMm/6rv97TGue468NQ6374W0wesX21YlfiWJFvIBzYW2ECWd/uC?= =?iso-8859-1?Q?m4SfHjEem9bECDt7myVqlIN8drHQeuuqx2NDwtg0DIaBXhLFxwnrIsNL9U?= =?iso-8859-1?Q?cgGNMvnK2ii9DW6j9nKxFME6u4Wkkn/hjdoRp0PngBGF98s81prCYKovji?= =?iso-8859-1?Q?LCJST/GQxPWMN4DW01nN9n7Qbgjdyy1YnfIQIP5d8bKcMnCqs10RjycgH1?= =?iso-8859-1?Q?prEo3uicHzR2rhTWlNZEij6tHYzd8xuBEEbkGqk9ryOMv8JBHiYDrq9lrO?= =?iso-8859-1?Q?Q+BZFiCIBKYuPbdPonTQ1cYsM52SOBLaGt3UuvIhU5hyVWOhFGnuKT3DZQ?= =?iso-8859-1?Q?j0KO/LjDrkYe4S+QYI18DTf5t77Hjy/iEE0p9QfUAk29F4B3y1bpNP1cXb?= =?iso-8859-1?Q?BALlgXjDb4698ysfMTSUxpHbEDV9iebnwHFRJRyY3f2o5gS6+XJVHuE6l1?= =?iso-8859-1?Q?tf0OmKbDLdLVBStaPl72dHjOFLr9fhtFw2/et5Nsd0zCwQQ9f54LyilM7x?= =?iso-8859-1?Q?wUfV/B4mgX5FgAUk/mdBfUtCDHuY1H7rO3KdonHHYuZYWkpsBZy+u1YiuM?= =?iso-8859-1?Q?GS5Q2AiBG9GwcTp+Vr7WU4gxcEq6jAP+8qnM+MnnEvtRWegPFaDhmCjVx+?= =?iso-8859-1?Q?AdtiATQmiS/DIGFO0vkvPDAB51ZgJoz03pZ3dKxYKQl/e/AKtp4o3nZ01D?= =?iso-8859-1?Q?nPZ+snsJYeKV8Uc8WBsoOuN7AwnDTd5vMzHULZkc86bjlXl6xO0i6st6As?= =?iso-8859-1?Q?esyjWQJEI4GjdlVpiXFXsBlcN9f83AeN+rSRh04nAJDUtmWtEeA+yvmMOI?= =?iso-8859-1?Q?2owssZH714E/O07SAAdTl9GKkwPPBGZdsi7gYSOiYBoENcMTL/h7c9/PAr?= =?iso-8859-1?Q?GLnOVUNAFbOzASB9059b5QDNRxj6iocJBhstNANMUT967PaXRmo6KS24Zq?= =?iso-8859-1?Q?Kkhr9ItTzSqY5+U80hLg4hvSqPVGIG2LPZogQ+0bCvopgwTkACihkV7ygs?= =?iso-8859-1?Q?cmy23w4fLDd55fMQRs57bAW6K2FUdt/bSsTmi2MqZIT5v/7qoNm9hS3Z8k?= =?iso-8859-1?Q?HL2g=3D=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YT1PR01MB8777.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: d2bf4e35-4ece-44af-04aa-08d9e9b68c8c X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2022 21:20:50.0473 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: H+fYZiMFYsbvteLhNG0lD5vhaKYKhdPfRZoxh4IZvafDZlHHC3AyUZKnuWcTiq+Vxot8aqOScVsoRnqdM4eXsQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB5638 X-Rspamd-Queue-Id: 4JsMdP368Bz4cKn X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector2 header.b=I5aKtteh; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.67.66 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-6.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector2]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[40.107.67.66:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; MLMMJ_DEST(0.00)[freebsd-fs]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.67.66:from] X-ThisMailContainsUnwantedMimeParts: N Arno Thuber wrote:=0A= > Hello there,=0A= >=0A= > for weeks I'm trying to get kerberized NFSv4 working on a FreeBSD server.= > Originally I tried using a Linux client which didn't work, so I now swit= ched=0A= > to a FreeBSD client which doesn't work either but with another error. =0A= > Remark: Linux server and client are working with the same KDC.=0A= >=0A= > It feels I've ready each and every tutorial on kerberized NFS but just do= n't=0A= > see the error.=0A= >=0A= > But now for the error on the FreeBSD client:=0A= > root@freebsd-client: # mount -vvv -o nfsv4,sec=3Dkrb5 =0A= > freebsd.fqdn:/srv/nfsshare /mnt/nfs/=0A= > mount_nfs: nmount: /mnt/nfs, wrong security flavor=0A= On the server, you must have sec=3Dkrb5 on the exports line(s)=0A= for the file system and on the "V4:" line.=0A= =0A= On the client, you either have to have a valid TGT in the cred. cache=0A= for uid 0=0A= OR=0A= have a host based kerberos principal in /etc/krb5.keytab that looks like:= =0A= =0A= host/@YOUR.REALM=0A= For example:=0A= host/nfs-client.my.dns.domain@MY.REALM=0A= (Not host/nfs-client@MY.REALM or host/Nfs-Client@MY.REALM)=0A= You can check this keytab entry works by doing=0A= # kinit -k host/nfs-client.my.dns.domain=0A= # klist=0A= --> You should have a TGT in the root credential cache.=0A= (When the gssd does this, it will end up in /tmp/krb5cc_gssd, but=0A= kinit -k will put it in /tmp/krb5cc_0, which is ok, since kinit -k is=0A= just testing the keytab entry.)=0A= =0A= --> Then you must specify "gssname=3Dhost" as an argument for the mount.=0A= The gssd must be running on both client and server.=0A= =0A= If you still don't get it working, run the gssd with "-v" and look at=0A= log messages (I think it does LOG_DAEMON | LOG_INFO to syslogd).=0A= =0A= If you post again, include the /etc/exports file that you have on the serve= r.=0A= =0A= rick=0A= ps: It used AUTH_SYS below as a fallback, since it could not create/find=0A= a TGT, I think?=0A= =0A= And what Wireshark shows fits the message:=0A= Remote Procedure Call, Type:Call XID:0x69cd8522=0A= Fragment header: Last fragment, 152 bytes=0A= XID: 0x69cd8522 (1775076642)=0A= Message Type: Call (0)=0A= RPC Version: 2=0A= Program: NFS (100003)=0A= Program Version: 4=0A= Procedure: COMPOUND (1)=0A= [The reply to this request is in frame 16]=0A= Credentials=0A= Flavor: AUTH_UNIX (1)=0A= Length: 56=0A= Stamp: 0x61ffd269=0A= Machine Name: freebsd-client.local.eyserver.de=0A= length: 32=0A= contents: freebsd-client.local.eyserver.de=0A= UID: 0=0A= GID: 0=0A= Auxiliary GIDs (1) [5]=0A= Verifier=0A= Flavor: AUTH_NULL (0)=0A= Length: 0=0A= =0A= GSSD is running and also seems to be in the loop (shows output on mount whe= n run as gssd -vhd) but it seems just right away ignores the request for kr= b5.=0A= Do you have any ideas on this? Or at least what I can do to debug this?=0A= =0A= FreeBSD used is 13.0-RELEASE.=0A= =0A= Regards,=0A= Arno=0A=