FreeNAS 9.10 + FreeIPA 4.2.0 (Kerberos) - NFSv4 Mount Fail incorrect mount option

[Arthur Morales Sampaio]

I am having an extremely hard time in getting NFSv4 kerberized mount to work with FreeIPA.

This is what I have done so far:
FreeIPA 4.2.0
FreeNAS 9.10

I have followed this guide http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
To try and implement the behavior of mounting the user's home directories into NFS within FreeNAS.

Here's the mount point configuration:

Then the NFS configuration within FreeNAS:

I have generated a keytab file by running the ipa-getkeytab command in the FreeIPA server including the following commands:
ipa-getkeytab -s ipa.xm.local -p host/ipa.xm.local -k /etc/krb5.keytab
ipa-getkeytab -s nas.xm.local -p host/nas.xm.local -k /etc/krb5.keytab
ipa-getkeytab -s nas.xm.local -p nfs/nas.xm.local -k /etc/krb5.keytab

And I copied this keytab file to my local computer and uploaded it to FreeNAS using the following screen:

Then when I go to the client which is running Ubuntu (14.04) - Note that I can log in on this client machine using Kerberos credentials from FreeIPA. So I am guessing that our FreeIPA Server setup is working fine.

This is what the mount command provides:

I've checked log files /var/log/syslog and /var/log/kern.log and there are no messages at all at the moment of the mount. Neither FreeNAS logs anything in the console. I am stuck here.

Has anyone ever used FreeNAS NFSv4 mounts for /home directory mounting against a Kerberos server such as FreeIPA? If this is not supported is there any other option for me to mount secure home user directories?

 

[dlavigne]

Were you able to find an answer?

 

[xenu]

I recently switched from my own openLDAP + Kerberos setup to FreeIPA and use it to automount user directories on FreeNAS via nfs4.

Some things I have setup different but shouldn't really matter:
- NFS Service: I checked "Require Kerberos for NFSv4" and "Support >16 groups" though this shouldn't affect your issue.
- Dataset permissions for /mnt/tank/users are root:wheel 777

Do you have the host/freenas and nfs/freenas principals in your keytab (ktutil -k /etc/krb5.keytab list) on the FreeNAS server?

Vno Type Principal Aliases
2 aes256-cts-hmac-sha1-96 host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
2 aes128-cts-hmac-sha1-96 host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
2 des3-cbc-sha1 host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
2 arcfour-hmac-md5 host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
1 aes256-cts-hmac-sha1-96 nfs/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
1 aes128-cts-hmac-sha1-96 nfs/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
1 des3-cbc-sha1 nfs/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
1 arcfour-hmac-md5 nfs/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM


Here are my FreeIPA Automount settings:

I chose a different directory for nfs mounted homedirs as it would conflict with local users who don't have kerberos authentication. The user in IPA gets home set to /mnt/freenas/users/<username>
I couldn't get automkhomedir to work yet so I have to create the user directory manually on freenas:

mkdir /mnt/tank/users/<username>
chown <username>:<usergroup> /mnt/tank/users/<username>
chmod 770 /mnt/tank/users/<username>


Edit: Did you "kinit <ipa user>" as root on your client before trying to manually mount?