Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

PURGE COMPLETE.

devel / comp.protocols.kerberos / cannot mount nfs share -o sec=krb5p

SubjectAuthor
o cannot mount nfs share -o sec=krb5pChris Gorman

1
cannot mount nfs share -o sec=krb5p

<mailman.81.1684907416.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=364&group=comp.protocols.kerberos#364

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!newsfeed.endofthelinebbs.com!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: chrisjohgorman@gmail.com (Chris Gorman)
Newsgroups: comp.protocols.kerberos
Subject: cannot mount nfs share -o sec=krb5p
Date: Tue, 23 May 2023 20:30:15 -0400
Organization: TNet Consulting
Lines: 518
Message-ID: <mailman.81.1684907416.1964.kerberos@mit.edu>
References: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="00000000000037bc9405fc659c42"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="9203"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1684888246; cv=pass;
b=OJ+TPXr7lqf5p0fIJu9SSXzRRq1wNZweNR9QYc0DMDrK3Qgf9J2Cgasduq8QaAXpTdhuQkFMRQd6Gdaa7bxrbu2hTZW6v4LiF30Ppupceymj+luQOP42m38KeWKJp30MvFJ5UcmwpzL66eK+e7K7gBMEBx2PdrJJv7CawMYKzn0XtGeIKFy0cozrlytJLyvfotdcGAQN/ZRHC1khxLU5h6dWrRkgKRdIvNYcbk+nHhVbgRZUlOIgY2RW80MCtHpms//ukbX3YFNChwDv5MCtOCY5tUGyLP6mNAjW2qxRrWlRpQ/Mzp32p0X95KyAFXFqRPPxg48TQtKkA31+ge/meQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1684888246;
c=relaxed/relaxed; bh=3HVx4YNbT6lxDWNkKmDIcFhOiVZAgtW6u7KMmaa8emA=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=YB7fK7RV5cpHFzjqtMEvU6NQeWlFrNx+iS97p7aSEnssWkEdo3IX9OUHpWeojzFPrcnoM9H2AkfuotV0tZO/lQt5mZ7w5xcBJFQwJbA60yOeuTr3Cfd9Qdf9nw3noMgiorovWgssUC8OAlNV2IYBvHUlUwVRx13oYKOxyqjtpGe48+m5PhboEKlfCRK0Gh7fs62ii6gOBflw/bD3Ikh5UkjHhAwDCr07uhBkCH9eiT65IH+w6X9Nin8Jpky5SENSKvnOPVCr4GA19neB2YsSNP0htOplO6xShOEmqp1vCv+B7lRRxSutS81c3zHq1MXMBBxMn6zGhYFkmkWmlKYZTg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=iUfWcaq7;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=PDOfx+0S
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=iUfWcaq7;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=PDOfx+0S
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=RwgOtWwT7fuM1ySeo6NsbaoHPXaLOroq6BWeJX2FJYRhebqlPOmA/z14OcsoTlq2dwsbnBrz+QVrRfVMwELgjlqveknyjHPWFAGiRT5ZefJrjsGB2fk6DjeI743Z3H5oFmUBq6ICYtzcmueYGSBl3DiI/9bS5x9Pb3XLO9PSFWq5WBJL8pOZJXio+99Jzl8xozjak1PkFL14TRINfvTpXnqGCG+zKE+JLGcfbst0eX/ko9m7JnlEk2jTGRITIneKk48FFDacuovyg6t/pptZAs0uHm5FJ/x67a6gyLjNk4pQsg/igjT1xqDd3NHaSmhTbLhClXZXcdaV8fEhV0IEjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=3HVx4YNbT6lxDWNkKmDIcFhOiVZAgtW6u7KMmaa8emA=;
b=KYMzKNHcgaTbbDwuKUf7pM7jTIdziISa4LVcIV6o8Pk34BW27irSQysRUmtZgqm4JVAeuyDLUlZZAP5BYRyD2RF2r77g9VNY8ZE8oy36tGD9un73ZT+y8FlQefdr9onYWSw2kHIktig2dXTuZn3qImvZYfq7t76ULagLQeKads01qWiOmaRYjGLcJaBmRDZtB78ikzmDSoYLPybWFqJafrxpGFhVgrWRcUgU5GJ948TGi4gWovb0MSd5Tm95xM4lJwxyU+pHw+yaLW2jpj8ibffiJ6TwCWHVoHq00BIhre7hJwJH/m9jj8DD7hlTqGD07Eo08BKwNvZZvChWgoR0Ow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.182) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3HVx4YNbT6lxDWNkKmDIcFhOiVZAgtW6u7KMmaa8emA=;
b=iUfWcaq7fpd76OwRDK3kruGDyTfSgMrX0dkXjds7fkeAlb8mJmLWkukRX9WOhQTCZnwvcUm3khUIy+lUCGbO0S6uUcB5X4emUyXJZ53veGlSxObGKA9550oXSEeoRicV6t6Zq6+scblOFhCrMghsgAi7a0G8TH0CjqZ2X1RVzXk=
Authentication-Results: spf=pass (sender IP is 209.85.128.182)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.182 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.182; helo=mail-yw1-f182.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1684888226; x=1687480226;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=3HVx4YNbT6lxDWNkKmDIcFhOiVZAgtW6u7KMmaa8emA=;
b=PDOfx+0Sa9YM6oGBRDgxRTzP/aCTzIWVdpPdF9zEoKXNqZbYOH6doGZ0CddX9eVMPw
RP41fXtDRAmHrtQfNGAtt5zLJWyxGdlbIQvpR4/Lp3zvu3d0oCSFoFHSMTUEq488j22G
wTjZPsyOIvDDprOJ9YsYoBU7AZRYasqLpE3H9OI0AMfYH2ZFrk0JZEfMWv4grDFPz2i1
Ps9f2I7ze+4hZ/GT+29nFJY7jNycrwLIyCHSoAShmW2H0f34wYlA1TPy5KYvJGKN+mDV
w95/yS+QFzHsARaHX9CEeT3rkjqeY7VPsLVSZepTKRlyR+b8+7CvBDkgkxcjQWse+VmQ
H3ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1684888226; x=1687480226;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=3HVx4YNbT6lxDWNkKmDIcFhOiVZAgtW6u7KMmaa8emA=;
b=MbwuQHg/IzTxgZQJ6iWksBTXnSliAvJ+zyvJma+uj9Kb+jJz7bWGVQ2QWkGsl1zAq8
Q4xMghFaJJSDYM1xdm3jtXelLEb+G01q26RoGDjh34SLH950Ykv3XNt8yO6DUpQrCF05
VQtKbq6O66+5+nsKOLKkSGKOjE87ClpcqMhUsSlaOq+X9rfw/5d2ows142slJsQ5uzeU
w8G/Fo5XQco/+YIID/RfAW/Qrp7L1DfTCSbZAoB/3MWlVYJeM84iBYXeaDjn+um3WW0G
jNUlH3eP4dPC/MjFC+u1lmp2ATZt71iBobVUZ32oWQTBvQOWTwqoYRK/vVJqJirSJRjG
qXXw==
X-Gm-Message-State: AC+VfDx6F9wt8UBjQwq+6FtwgzYK1AstGX4Nmu+Vm2gzMLp1ntAkTAuG
X0F1ViaiuwvOFa2HbzMfcVwuenb7J3wNdklSC/uKCM6LeY4=
X-Google-Smtp-Source: ACHHUZ5rQ3z1dfZ3D8gLXO0p2ydl3CNzHLNxmYI4GWaFuVfE/Io55uKczXiKOcSVji8zyr1vj6CqEEAyFXa7JaP0Rek=
X-Received: by 2002:a81:7105:0:b0:561:a41d:61cd with SMTP id
m5-20020a817105000000b00561a41d61cdmr17310181ywc.46.1684888226325; Tue, 23
May 2023 17:30:26 -0700 (PDT)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT055:EE_|BY3PR01MB6673:EE_
X-MS-Office365-Filtering-Correlation-Id: 789b30b6-37fc-4f9e-5ceb-08db5bee1247
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zdJqKFc/e5cpc8LQN2CvpM9bxNKBhYstll9XjnID5EGqjcFTcbpN+Pf5uet9zUdsC+H6gV15fr6LbTc2n5Taxqimar4odYUfJI9prutB1rBVVmyd0H6UEgbHvJZfe94lnZVY5dPTFOF1xK75jaBwWmoTJN4HmVw9sJGPlPjVP9Mg9erY/+IS0xdblGPLO96yQffzvHnEEXp5lVisRh4vjZ7vu7h4ZS8ZxDC/4xJXMaA6r09WdJYXebpfCjJV4HYvf6CfAGeHTss3f3KRCfLrAh37ApPIr2Lh1GAmhXccMYSbRugMiaTUsWNyTxFsvPa0D/0LnaVIIJ/ME72sI734nCZRgDC9Z++x4/euw7vFZEpKrfIcPhhsk7HCZyEx7KxKaxGJATqBHEsL+nY+Bv7R1nYJfHVxbC74N+w4cJn5RJX6LDLmoFqg0TGiqPIQVryZOUTCeMgI+8OFJnWXLD7++TJuLZYmzhk8M/gT/DH4QgBcqAf/D1/vumJh10DdOWJU9QKd1XzN6Zm43OD+/9yV7SHnX7u9Vno1TWQQtCfxfpkNIQsTLUTJBhWZgZVXm398CIjezMfBOQMZXoIaZcVPs2f/B1mBYNi6lQ8xh/Fwhlg82cSxaR+eFNcd2CS0ySs9RZ9mZyMnhsk41HCZhM4CeQ==
X-Forefront-Antispam-Report: CIP:209.85.128.182; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yw1-f182.google.com; PTR:mail-yw1-f182.google.com;
CAT:NONE;
SFS:(13230028)(4636009)(396003)(39860400002)(346002)(136003)(376002)(84050400002)(451199021)(73392003)(33964004)(498600001)(82202003)(76482006)(42186006)(26005)(6666004)(336012)(356005)(7596003)(7636003)(83380400001)(21480400003)(5660300002)(86362001)(55446002)(235185007)(34206002)(8676002)(786003)(316002)(68406010)(2906002)(70586007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2023 00:30:27.0067 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 789b30b6-37fc-4f9e-5ceb-08db5bee1247
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT055.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR01MB6673
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Wed, 24 May 2023 01:50:13 -0400
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>
 by: Chris Gorman - Wed, 24 May 2023 00:30 UTC
Attachments: "server.log" (text/x-log), "client.log" (text/x-log)

Hello list,

I am trying to build a linux from scratch system with nfs4 and
kerberos. Somewhere along the lines I have deviated from what distros
like arch linux have done as I can't mount an nfs share with anything
but -o sec=sys. I have tried to follow arch's build scripts for
nfs-utils-2.6.3 and gssproxy-0.9.1. Both are installed and working as
far as I can tell. I may yet need to rebuild a package due to
circular dependencies. I don't know if this is my problem, or if it
lies elsewhere.

I have successfully set up a krb5 server on one of my arch systems,
but want to have the service running on LFS.

So I have two machines at the moment, server and client at domain
example.com with realm EXAMPLE.COM. The client is an arch linux
system and was the previous server. I could get nfs shares mounted
when I had the arch system as the server. I can no longer mount
shares as when using the LFS machine as the server.

I have tried turning on nfs debugging with rpcdebug and the attached
files are the relevant output from journalctl. The client's log is
attached as client.log and the server's log is server.log. The logs
are logs of a mount call from the client to the server.

sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs

This call produces the following output.

mount.nfs4: mount(2): Permission denied
mount.nfs4: mount(2): Permission denied
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server.example.com:/home
mount.nfs4: timeout set for Tue May 23 19:03:05 2023
mount.nfs4: trying text-based options
'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
mount.nfs4: trying text-based options
'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2'
mount.nfs4: trying text-based options
'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'

My kerberos information follows

Client's krb5.conf
-----------------------
[libdefaults]
default_realm = EXAMPLE.COM
encrypt = true

[realms]
EXAMPLE.COM = {
admin_server = server.example.com
kdc = server.example.com

pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_identity =
FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE

Server's krb5.conf
------------------------
[libdefaults]
default_realm = EXAMPLE.COM
encrypt = true

[realms]
EXAMPLE.COM = {
admin_server = server.example.com
kdc = server.example.com

kdc_tcp_ports = 88
allow_pkinit = yes
pkinit_identity =
FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE

Server's kdc.conf
-----------------------
[kdcdefaults]
kdc_listen = 88
kdc_tcp_listen = 88
spake_preauth_kdc_challenge = edwards25519

[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
kdc_listen = 88
kdc_tcp_listen = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}

Client's keytab
-------------------
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server.example.com@EXAMPLE.COM
3 host/server.example.com@EXAMPLE.COM
3 nfs/server.example.com@EXAMPLE.COM
3 nfs/server.example.com@EXAMPLE.COM
3 nfs/client.example.com@EXAMPLE.COM
3 nfs/client.example.com@EXAMPLE.COM

/etc/resolv.conf
--------------
domain example.com
nameserver 192.168.0.1
nameserver 8.8.8.8

/etc/hosts
-------------
127.0.0.1 localhost.localdomain localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If someone has a moment, could you look at the logs and tell me if
anything jumps out at you as my problem?

Thanks in advance,

Chris

Attachments: "server.log" (text/x-log), "client.log" (text/x-log)
1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor