Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
Hi All,
I am trying to get Kerberised NFS working in my environment but am struggling to put the final pieces of the puzzle together.
Environment: Win 2012R2 AD DCs, FreeNAS 11.3 server exporting over NFS with Kerberos enabled, RHEL 7 Linux clients.
Before joining the FreeNAS box to the domain I enabled Kerberised NFS and I can see that the machine account created in the AD has the relevant SPNs:
HOST/NFSSERVER
HOST/NFSSERVER.fqdn
nfs/NFSSERVER
nfs/NFSSERVER.FQDN
RestrictedKrbHost/NFSSERVER
RestrictedKrbHost/NFSSERVER.fdqd
On the FreeNAS box I then ran the following to add the nfs principal to the keytab file
root@nfsserver[~]# net -k ads keytab add nfs
root@nfsserver[~]# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal Aliases
1 des-cbc-crc restrictedkrbhost/nfsserver.fqdn@REALM
1 des-cbc-crc restrictedkrbhost/NFSSERVER@REALM
1 des-cbc-md5 restrictedkrbhost/nfsserver.fqdn@REALM
1 des-cbc-md5 restrictedkrbhost/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 restrictedkrbhost/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 restrictedkrbhost/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 restrictedkrbhost/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 restrictedkrbhost/NFSSERVER@REALM
1 arcfour-hmac-md5 restrictedkrbhost/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 restrictedkrbhost/NFSSERVER@REALM
1 des-cbc-crc host/nfsserver.fqdn@REALM
1 des-cbc-crc host/NFSSERVER@REALM
1 des-cbc-md5 host/nfsserver.fqdn@REALM
1 des-cbc-md5 host/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 host/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 host/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 host/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 host/NFSSERVER@REALM
1 arcfour-hmac-md5 host/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 host/NFSSERVER@REALM
1 des-cbc-crc NFSSERVER$REALM
1 des-cbc-md5 NFSSERVER$REALM
1 aes128-cts-hmac-sha1-96 NFSSERVER$REALM
1 aes256-cts-hmac-sha1-96 NFSSERVER$REALM
1 arcfour-hmac-md5 NFSSERVER$REALM
1 des-cbc-crc nfs/nfsserver.fqdn@REALM
1 des-cbc-crc nfs/NFSSERVER@REALM
1 des-cbc-md5 nfs/nfsserver.fqdn@REALM
1 des-cbc-md5 nfs/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 nfs/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 nfs/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 nfs/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 nfs/NFSSERVER@REALM
1 arcfour-hmac-md5 nfs/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 nfs/NFSSERVER@REALM
The linux client 'linclient' has been configured with the help of a Red Hat engineer and is working to the point that we can do a manual mount of the NFS share are root and get it mounting:
[root@linclient ~]# mount -t nfs nfsserver.fqdn:/mnt/store/home /mnt/nfsserver_nfs -o vers=4.0,sec=krb5
[root@linclient ~]# mount | grep nfsserver
nfsserver.fqdn:/mnt/store/home on /mnt/nfsserver_nfs type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=CLIENTIP,local_lock=none,addr=SERVERIP)
root on the client has no permissions to see any of the datasets under /mnt/nfsserver_nfs/ - I assume because none of the datasets are actually owned by root.
When I try to use automount maps so that users can log in to the client with the home directory I also get permission denied errors.
For the record:
root@nfsserver[~]# ls -l /mnt
total 5
-rw-r--r-- 1 root wheel 5 Jun 10 16:22 md_size
drwxr-xr-x 5 root wheel 5 Jun 24 13:37 store
root@nfsserver[~]# ls -l /mnt/store
total 162
drwxrwxrwx 61 root wheel 61 Jun 15 11:58 group
drwxrwxrwx 606 root wheel 606 Jun 15 11:58 home
drwxr-xr-x 9 root wheel 11 Jun 25 11:23 iocage
On the linux client I see the following error:
Jul 14 13:33:50 linclient automount[2530]: >> mount.nfs4: Operation not permitted
Jul 14 13:33:50 linclient automount[2530]: mount(nfs): nfs: mount failure nfsserver.fqdn:/mnt/store/home/username on /homes/username
The Red Hat engineer suspects that FreeNAS is getting in the way. I can't find any useful logs on the FreeNAS box that tell me whether or not this is true.
Any help you can provide would be much appreciated.
Many thanks,
Fab
I am trying to get Kerberised NFS working in my environment but am struggling to put the final pieces of the puzzle together.
Environment: Win 2012R2 AD DCs, FreeNAS 11.3 server exporting over NFS with Kerberos enabled, RHEL 7 Linux clients.
Before joining the FreeNAS box to the domain I enabled Kerberised NFS and I can see that the machine account created in the AD has the relevant SPNs:
HOST/NFSSERVER
HOST/NFSSERVER.fqdn
nfs/NFSSERVER
nfs/NFSSERVER.FQDN
RestrictedKrbHost/NFSSERVER
RestrictedKrbHost/NFSSERVER.fdqd
On the FreeNAS box I then ran the following to add the nfs principal to the keytab file
root@nfsserver[~]# net -k ads keytab add nfs
root@nfsserver[~]# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal Aliases
1 des-cbc-crc restrictedkrbhost/nfsserver.fqdn@REALM
1 des-cbc-crc restrictedkrbhost/NFSSERVER@REALM
1 des-cbc-md5 restrictedkrbhost/nfsserver.fqdn@REALM
1 des-cbc-md5 restrictedkrbhost/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 restrictedkrbhost/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 restrictedkrbhost/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 restrictedkrbhost/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 restrictedkrbhost/NFSSERVER@REALM
1 arcfour-hmac-md5 restrictedkrbhost/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 restrictedkrbhost/NFSSERVER@REALM
1 des-cbc-crc host/nfsserver.fqdn@REALM
1 des-cbc-crc host/NFSSERVER@REALM
1 des-cbc-md5 host/nfsserver.fqdn@REALM
1 des-cbc-md5 host/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 host/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 host/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 host/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 host/NFSSERVER@REALM
1 arcfour-hmac-md5 host/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 host/NFSSERVER@REALM
1 des-cbc-crc NFSSERVER$REALM
1 des-cbc-md5 NFSSERVER$REALM
1 aes128-cts-hmac-sha1-96 NFSSERVER$REALM
1 aes256-cts-hmac-sha1-96 NFSSERVER$REALM
1 arcfour-hmac-md5 NFSSERVER$REALM
1 des-cbc-crc nfs/nfsserver.fqdn@REALM
1 des-cbc-crc nfs/NFSSERVER@REALM
1 des-cbc-md5 nfs/nfsserver.fqdn@REALM
1 des-cbc-md5 nfs/NFSSERVER@REALM
1 aes128-cts-hmac-sha1-96 nfs/nfsserver.fqdn@REALM
1 aes128-cts-hmac-sha1-96 nfs/NFSSERVER@REALM
1 aes256-cts-hmac-sha1-96 nfs/nfsserver.fqdn@REALM
1 aes256-cts-hmac-sha1-96 nfs/NFSSERVER@REALM
1 arcfour-hmac-md5 nfs/nfsserver.fqdn@REALM
1 arcfour-hmac-md5 nfs/NFSSERVER@REALM
The linux client 'linclient' has been configured with the help of a Red Hat engineer and is working to the point that we can do a manual mount of the NFS share are root and get it mounting:
[root@linclient ~]# mount -t nfs nfsserver.fqdn:/mnt/store/home /mnt/nfsserver_nfs -o vers=4.0,sec=krb5
[root@linclient ~]# mount | grep nfsserver
nfsserver.fqdn:/mnt/store/home on /mnt/nfsserver_nfs type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=CLIENTIP,local_lock=none,addr=SERVERIP)
root on the client has no permissions to see any of the datasets under /mnt/nfsserver_nfs/ - I assume because none of the datasets are actually owned by root.
When I try to use automount maps so that users can log in to the client with the home directory I also get permission denied errors.
For the record:
root@nfsserver[~]# ls -l /mnt
total 5
-rw-r--r-- 1 root wheel 5 Jun 10 16:22 md_size
drwxr-xr-x 5 root wheel 5 Jun 24 13:37 store
root@nfsserver[~]# ls -l /mnt/store
total 162
drwxrwxrwx 61 root wheel 61 Jun 15 11:58 group
drwxrwxrwx 606 root wheel 606 Jun 15 11:58 home
drwxr-xr-x 9 root wheel 11 Jun 25 11:23 iocage
On the linux client I see the following error:
Jul 14 13:33:50 linclient automount[2530]: >> mount.nfs4: Operation not permitted
Jul 14 13:33:50 linclient automount[2530]: mount(nfs): nfs: mount failure nfsserver.fqdn:/mnt/store/home/username on /homes/username
The Red Hat engineer suspects that FreeNAS is getting in the way. I can't find any useful logs on the FreeNAS box that tell me whether or not this is true.
Any help you can provide would be much appreciated.
Many thanks,
Fab