Message-ID:

It is necessary to have purpose. -- Alice #1, "I, Mudd", stardate 4513.3

devel / comp.protocols.kerberos / Re: cannot mount nfs share -o sec=krb5p

Re: cannot mount nfs share -o sec=krb5p

<mailman.82.1685036145.1964.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=365&group=comp.protocols.kerberos#365

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: chrisjohgorman@gmail.com (Chris Gorman)
Newsgroups: comp.protocols.kerberos
Subject: Re: cannot mount nfs share -o sec=krb5p
Date: Thu, 25 May 2023 13:35:12 -0400
Organization: TNet Consulting
Lines: 164
Message-ID: <mailman.82.1685036145.1964.kerberos@mit.edu>
References: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>
<CAHVeOW9v_T=1zSb5iPxD8=CraKJZhrYToX_Wrxw4EMZH6MWbNQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="6499"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1685036144; cv=pass;
b=v9pekVIz6wDNztGo0rLUq4VYOiiWtqugoSv/U+f19jW57rcT+BrATHAN/pbqjQkH/uxNPtINBopuTiX0wI3oJJnYj4D4/y53wC34rzoUggf7B5x0sGM4tUUrXta/Q7QboX8HZ5KtXjXyA0TF9ARLSOs37/OYJIosZBuFRj3SVTxgZyPD5fiTdSn+66cmeN9czxBsz34EmFhLQhjhbRa/UgSninPEYQZ86KUOul7px/O9k+0IREltp+eFwHvrFDuvuwQ0R4JxwqMcFHX7EIeDvrsIUqeV9H6sH51RGyPHDJI+cJmcbr0RUWTakZarqUs//cq6gzZT4w8lEcMS8+jqrA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1685036144;
c=relaxed/relaxed; bh=axX1vNmM9sVdvwYIeadVzmKh/B/h9Jb2Q2+K20BHBvc=;
h=DKIM-Signature:DKIM-Signature:MIME-Version:From:Date:Message-ID:
Subject:To;
b=FgvRhMgnhkQas+YkMNMgHf9hwSL6hBaUsJjWbl0LadP6EX8L7iuZz8o/ey3FQII/q5uA71APeJmRj0AMgjNRNLStnlJ7WiaoZ+GatWHIiF8P1jX4PzAQgXcF177xo5tqGNf3W9+I9LYnQEYaAKkrM6y0VdyuTREDEFKtYI6Bmr3KTALMxnShFQIYQo+HvDckaQmagKN6IZs7gjtjow5uFJbuJnGcYGyRxg/QIjUsTSsTY5lj+hqRyQsqN9qEn1LbDoKI7FHk8TPX8EOI9ypCOEWjrfWraWZj4exU/K1HLmlcOPOkA3eQxp6IRb1MchAB6RMdJOEvyNEV/GN6idVodg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=AIdoDiZ/;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=P6+QEMpY
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=AIdoDiZ/;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=P6+QEMpY
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=I0kd//PlWdCC4Y/cTs8NkH1F6BnY/0zvTdUKGb/+GOzhsM0oLVQcXl2VGXRD+H/xqU4IVbjR88E7V5EmBHWssp5WJyaMwYyv4mvLX9TlWNmCNR6BOvCwCFyJ5j7mWaN0vEh0DEJvuU2VptdBvWyi2MBsyaP7fc6aEATSGiQA49cZ6w9QQJGzWdXMSV9e337CIXpCTVu+wHEJai55s5t58XD3CPgpthyzzB7yvI8KxveMAiiNVbbu9b47kZBQdas8HrVOVK+J3Dl2zQ46JMMNTyZIalo0g+4SXHTgaDcRnSDwZTYw71MKusOWd+m+doWkOWZI2f9ahYDAzWO2u7aK8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=axX1vNmM9sVdvwYIeadVzmKh/B/h9Jb2Q2+K20BHBvc=;
b=LuoEzNrhPTA7ynXnvcLZysn/78IZMcChVeaDGeTponhbE1lwj4JA8ZOiZQA6B0J/KXL9BXA4+aDMLcgkI8wf/p9fdTEzX+iN1nQZpl1iVZ4M7dRDeSfxvoVYbAPaB9Sqq7ayMKCH7RodmjL/sCk9ntlF9dHKHsuvsnOfOnaOWk0+ilenWREq3MwqNeANBWuYl6x+k+8zmymiWM8MU8OZAwf+v+hUdjyglD8301K9o9UkparRqmKxe8qWo8tH03lgvktWnwSliCv7LhumQnI7FeeLhaOoepBmDnDcq2rkEV8GUsuYuOE0oqqCEkyZQkWEWRkfJEh7PGrtVh5k4PhuQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.175) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=axX1vNmM9sVdvwYIeadVzmKh/B/h9Jb2Q2+K20BHBvc=;
b=AIdoDiZ/01jU0eqi/66pa+hRg7x3VcUkuggz3XpgX48xW/ooPnatT4EYZYBUI548bLENQk68i+J0ASx+FBykJy0Vm4rgsKo644kRh5q3SYEAgLfxyVJBm26bU9DbqTB4A/rKaflcoj9q9kuoS3m0iUSo2s3ANxIuaNEZxg8JBiA=
Authentication-Results: spf=pass (sender IP is 209.85.128.175)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.175 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.175; helo=mail-yw1-f175.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1685036124; x=1687628124;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=axX1vNmM9sVdvwYIeadVzmKh/B/h9Jb2Q2+K20BHBvc=;
b=P6+QEMpYeyfh1POXAv+0y4FLNOb8Ck735vOz4Ijri5lkBPhrNl15cCWCIW4xn1Ykda
ye3UbXaY2YlKDoStAnizpH6JPiYdTEfyTNMpzTF4zhIvcrLZQiky4uHfa/bTKZBQ55yD
exT5N5t5adHc+wpmTexnuW2KldzAJBDQjPIvsa2+H38tMxE2/QUmD2yK6zJyERhhEHLg
jPqoHYXHWe8smVrHcCF/4y06YmX4NaiuOz4RQ8lUsCo7wx7LVPtS7iJcM5irJxwZXXnq
rivumMt8j5CMwce+uzBGkdLBGniIMWoMaONdLgCHr6fRE5A8P2O/xWtqA4nma6GMTv5J
a1lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1685036124; x=1687628124;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=axX1vNmM9sVdvwYIeadVzmKh/B/h9Jb2Q2+K20BHBvc=;
b=CDtDJ+rzzVpeSf70ko8taSBmqgVRBol+gZR24yAxJB+Ro70ReIvDQZMbkx+WUCilSy
8nh7FHVIAToP/Mlv/5O0u7saQI1hUWARCpt/3by9E46meWe/GW8A5Cs6z2Pwf+rTqcfz
9dxjx57iAXjGlys2JfWsHF0NS1KZolpdaNcBvKsx90/hEyYE6h9G4OozfpuMhzgQfIkZ
2ZjrhL89v1e+k8Ekdpf/eWVIPhLDPFwH92tKRMPqlfOffCPhMIsbhuP/kn5AKBKeQUNL
ID81Jycgoz7KB3Ez93SjAUJI8bYPlniQKrDQ4dFAmrb2PKBU6pRL/NsrW6uPlxvFDpH3
dxWA==
X-Gm-Message-State: AC+VfDx+y6VLb7OAShosPBFi+4DMf9PRXxzt5TgvoTYV/5t2fTG8+a6y
ZTpud/HdslkkiACsuCU83C8l6XcSlqBEpSE/nTQz2fVZ
X-Google-Smtp-Source: ACHHUZ6xp98ZeNsnpNaFE01XBXN0uBPoHjOj70tBU4xsfesAmQbDx6ChEaMEDhtHJUuQPRpwDucMXuPiKINNzfwgkuU=
X-Received: by 2002:a0d:d448:0:b0:561:e9f0:924a with SMTP id
w69-20020a0dd448000000b00561e9f0924amr260615ywd.28.1685036123720; Thu, 25 May
2023 10:35:23 -0700 (PDT)
In-Reply-To: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6NAM11FT060:EE_|CH0PR01MB7153:EE_
X-MS-Office365-Filtering-Correlation-Id: bcff034f-0636-48d1-57e8-08db5d466c14
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gSt7kULtRVfgE/x4A8fuEqsqSN3506m1oDZ7TYxKJca2h+tVKMgObYT9OtpIASO93rkWJHIkM4cmics3BJCixF6rlcqJeX4N7secASprc6nR8A1HkUFjrmzqgJ7P+n9tHgKBDQE/DuPwdqwsh4BUomGEH7Gh3OREkVWamQqxhmD2auqwMbjTFlSJ3FgiOcZEKWMYg/0UhkCVg14akCv9GqFU/2rY/U0fBFaBtzhTW7Jv3+iD+C5QiFy2rJa/9uPtjpNHxQY7YD54xzt0O5GVAo19ganKnm9eLkv6jBOf9WMs74wExML7L4oiwybFSJFU2eg67ETQwTHPgxXU+Y74SJ/r+glpULH329AwXgx6FGkgaTVS4ZS9/WF0p7VmDGaWSkxsM/0YGJk6GFYucAy3OgoHng/kAUiFYTsiQcE/OCkaJOHUux086ULA8FTGaai4ACS43U/Z/4Wx31DoFCqJnCyx6a840VKZ1G6jlBSIMKer4gKOUqefnIgnwZJU+NV914xd9UPoBOtX17jkT2DOTYC+hI7r+JHgENi2Z0Wp8/AYlFMesLZujjU/mcxRUPt1IAZB+ybxSxALhuAqjzR1ByvO/cKPJXfR9z8wR8Kk7mllEJp9pdHTwYEDpSlc/jWiCArDx2boOqOkAMrGDREj5g==
X-Forefront-Antispam-Report: CIP:209.85.128.175; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-yw1-f175.google.com; PTR:mail-yw1-f175.google.com;
CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(346002)(376002)(396003)(136003)(84050400002)(451199021)(6666004)(498600001)(53546011)(82202003)(42186006)(786003)(316002)(76482006)(70586007)(68406010)(5660300002)(356005)(34206002)(7596003)(8676002)(7636003)(55446002)(26005)(336012)(83380400001)(2906002)(73392003)(86362001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2023 17:35:24.5423 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bcff034f-0636-48d1-57e8-08db5d466c14
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT060.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB7153
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
34PHZip51352673
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAHVeOW9v_T=1zSb5iPxD8=CraKJZhrYToX_Wrxw4EMZH6MWbNQ@mail.gmail.com>
X-Mailman-Original-References: <CAHVeOW8yGAhXaw2+uc+Rw-K4-GDRze-eHoP-eOrM2GJpNnv_0Q@mail.gmail.com>

by: Chris Gorman - Thu, 25 May 2023 17:35 UTC

Hello Again,

Please disregard this request for help as being persistent has allowed
me to fix my problem. I needed to rebuild the following packages to
get nfs mounting working.

nfs-utils
krb5
gssproxy
cyrus-sasl

Once these were built to recognise each other, my problem disappeared.

Thanks for your time.

Chris

On Tue, May 23, 2023 at 8:30 PM Chris Gorman <chrisjohgorman@gmail.com> wrote:
>
> Hello list,
>
> I am trying to build a linux from scratch system with nfs4 and
> kerberos. Somewhere along the lines I have deviated from what distros
> like arch linux have done as I can't mount an nfs share with anything
> but -o sec=sys. I have tried to follow arch's build scripts for
> nfs-utils-2.6.3 and gssproxy-0.9.1. Both are installed and working as
> far as I can tell. I may yet need to rebuild a package due to
> circular dependencies. I don't know if this is my problem, or if it
> lies elsewhere.
>
> I have successfully set up a krb5 server on one of my arch systems,
> but want to have the service running on LFS.
>
> So I have two machines at the moment, server and client at domain
> example.com with realm EXAMPLE.COM. The client is an arch linux
> system and was the previous server. I could get nfs shares mounted
> when I had the arch system as the server. I can no longer mount
> shares as when using the LFS machine as the server.
>
> I have tried turning on nfs debugging with rpcdebug and the attached
> files are the relevant output from journalctl. The client's log is
> attached as client.log and the server's log is server.log. The logs
> are logs of a mount call from the client to the server.
>
> sudo mount -vvv -t nfs4 -o sec=krb5p server.example.com:/home /home/nfs
>
> This call produces the following output.
>
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting server.example.com:/home
> mount.nfs4: timeout set for Tue May 23 19:03:05 2023
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4.2,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,minorversion=1,addr=192.168.0.1,clientaddr=192.168.0.2'
> mount.nfs4: trying text-based options
> 'sec=krb5p,vers=4,addr=192.168.0.1,clientaddr=192.168.0.2'
>
> My kerberos information follows
>
> Client's krb5.conf
> -----------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
> encrypt = true
>
> [realms]
> EXAMPLE.COM = {
> admin_server = server.example.com
> kdc = server.example.com
>
> pkinit_anchors = FILE:/etc/krb5/cacert.pem
> pkinit_identity =
> FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
> [logging]
> kdc = SYSLOG:NOTICE
> admin_server = SYSLOG:NOTICE
> default = SYSLOG:NOTICE
>
> Server's krb5.conf
> ------------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
> encrypt = true
>
> [realms]
> EXAMPLE.COM = {
> admin_server = server.example.com
> kdc = server.example.com
>
> kdc_tcp_ports = 88
> allow_pkinit = yes
> pkinit_identity =
> FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
> pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
> [logging]
> kdc = SYSLOG:NOTICE
> admin_server = SYSLOG:NOTICE
> default = SYSLOG:NOTICE
>
> Server's kdc.conf
> -----------------------
> [kdcdefaults]
> kdc_listen = 88
> kdc_tcp_listen = 88
> spake_preauth_kdc_challenge = edwards25519
>
> [realms]
> EXAMPLE.COM = {
> database_name = /var/lib/krb5kdc/principal
> acl_file = /var/lib/krb5kdc/kadm5.acl
> key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
> kdc_listen = 88
> kdc_tcp_listen = 88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> }
>
> Client's keytab
> -------------------
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 3 host/server.example.com@EXAMPLE.COM
> 3 host/server.example.com@EXAMPLE.COM
> 3 nfs/server.example.com@EXAMPLE.COM
> 3 nfs/server.example.com@EXAMPLE.COM
> 3 nfs/client.example.com@EXAMPLE.COM
> 3 nfs/client.example.com@EXAMPLE.COM
>
> /etc/resolv.conf
> --------------
> domain example.com
> nameserver 192.168.0.1
> nameserver 8.8.8.8
>
> /etc/hosts
> -------------
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> If someone has a moment, could you look at the logs and tell me if
> anything jumps out at you as my problem?
>
> Thanks in advance,
>
> Chris

Subject	Author
Re: cannot mount nfs share -o sec=krb5p	Chris Gorman