So before I get into the environment section, my goal is to have an NFSv4 share that requires Kerberos tickets to mount/use. I am using FreeIPA to provide LDAP/KRB5.
I do not believe the FreeIPA integration to be suspect as all users/groups show on the TrueNas box with the LDAP tasks showing as successful, and I can kinit user tickets from the TrueNas console. NFS principals are set up for the TrueNas host and are part of the keytab uploaded with the web gui and verified its in /etc/krb5.keytab with ktutil. The details are in the spoiler.
Onto TrueNas. So as part of troubleshooting, I performed a new install of TrueNas Core 12-U1.1which didn't ultimately help. I made a new dataset "Test" to prove this out. The client computer I'm using is my primary desktop running Arch Linux. The dataset is using the preset ACL of "OPEN" to try and remove permission errors from the mix, the rest is the default. The share is also using the NFS defaults.
As a baseline, I configured the NFS service for v3 as shown below and the resulting mount just specifying the server and dest folder from the client 'findmnt' command. This works as expected.
When enabling v4, it again works as expected, and mounts as v4.
Now here's the part I can't figure out. I enable "Require Kerberos". Now it mounts as v3 again when I don't specify options, and when I add sec=krb5 as an option, it refuses to mount at all. Note that the host does have a host principal in the keytab plus kinit'ed to the backupclient user.
Mount command
Result:
Mount with krb5 as option
Also, I've been attempting to find the location of the mountd log and can't seem to locate them in /var/log. This is my first post so if I'm missing something please be patient.
I do not believe the FreeIPA integration to be suspect as all users/groups show on the TrueNas box with the LDAP tasks showing as successful, and I can kinit user tickets from the TrueNas console. NFS principals are set up for the TrueNas host and are part of the keytab uploaded with the web gui and verified its in /etc/krb5.keytab with ktutil. The details are in the spoiler.
FreeIPA Service Page:
FreeIPA Host Page:
TrueNas LDAP:
TrueNas Kerberos:
TrueNas getent:
FreeIPA Host Page:
TrueNas LDAP:
TrueNas Kerberos:
TrueNas getent:
Onto TrueNas. So as part of troubleshooting, I performed a new install of TrueNas Core 12-U1.1which didn't ultimately help. I made a new dataset "Test" to prove this out. The client computer I'm using is my primary desktop running Arch Linux. The dataset is using the preset ACL of "OPEN" to try and remove permission errors from the mix, the rest is the default. The share is also using the NFS defaults.
As a baseline, I configured the NFS service for v3 as shown below and the resulting mount just specifying the server and dest folder from the client 'findmnt' command. This works as expected.
Code:
└─/mnt/nfsShare truenas.homelab.domain.localnet:/mnt/VOL01/Test nfs rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=128.168.2.3,mountvers=3,mountport=1002,mountproto=udp,local_lock=none,addr=128.168.2.3
When enabling v4, it again works as expected, and mounts as v4.
Code:
└─/mnt/nfsShare truenas.homelab.domain.localnet:/mnt/VOL01/Test nfs4 rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=128.168.4.10,local_lock=none,addr=128.168.2.3
Now here's the part I can't figure out. I enable "Require Kerberos". Now it mounts as v3 again when I don't specify options, and when I add sec=krb5 as an option, it refuses to mount at all. Note that the host does have a host principal in the keytab plus kinit'ed to the backupclient user.
Mount command
Code:
[root@desktop ~]# mount truenas.homelab.domain.localnet:/mnt/VOL01/Test /mnt/nfsShare/
Result:
Code:
└─/mnt/nfsShare truenas.homelab.domain.localnet:/mnt/VOL01/Test nfs rw,relatime,vers=3,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=128.168.2.3,mountvers=3,mountport=778,mountproto=udp,local_lock=none,addr=128.168.2.3
Mount with krb5 as option
Code:
[root@desktop ~]# mount -vvv -o sec=krb5 truenas.homelab.domain.localnet:/mnt/VOL01/Test /mnt/nfsShare/ mount.nfs: timeout set for Sun Feb 7 17:24:52 2021 mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=128.168.2.3,clientaddr=128.168.4.10' mount.nfs: mount(2): Protocol not supported mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=128.168.2.3,clientaddr=128.168.4.10' mount.nfs: mount(2): Operation not permitted mount.nfs: trying text-based options 'sec=krb5,addr=128.168.2.3' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 128.168.2.3 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 128.168.2.3 prog 100005 vers 3 prot UDP port 778 mount.nfs: mount(2): Permission denied mount.nfs: Operation not permitted [root@desktop ~]#
Also, I've been attempting to find the location of the mountd log and can't seem to locate them in /var/log. This is my first post so if I'm missing something please be patient.
