I am setting up a FreeNAS box, running on my LAN which will be hosting photos and documents, which I would like to keep safe (will back up to the cloud). I would like to share the files on my LAN using NFSv4 with Kerberos authentication, as want to control access to the files on a user level.
So far I have done the following:
- running FreeNAS-11.3-U3.2
- enabled NFSv4 in the NFS settings and set up an NFS share
- set up a DNS server running inside a jail (separate IP) on the FreeNAS box. My router is pointing all clients to use that as their DNS server
- set up a Kerberos server inside a jail (another separate IP) on the FreeNAS. After creating the jail, I followed these instructions: https://www.freebsd.org/doc/handbook/kerberos5.html
- added the kerberos realm and keytab on the FreeNAS using the Web UI (keytab contains a principal named "nfs/FreeNAS.home@HOME" which I created inside the kerberos jail)
- I have another keytab for a Debian PC client ("nfs/Client.home@HOME")
I can request a ticket from the Debian client machine (I changed the real hostnames to Client and FreeNAS):
However, I am having trouble mounting the NFS share (I changed the real hostnames to Client and FreeNAS):
Meanwhile in the FreeNAS NFS server I can see this in the logs:
I was wondering if anyone had ideas as to what I could be doing wrong
So far I have done the following:
- running FreeNAS-11.3-U3.2
- enabled NFSv4 in the NFS settings and set up an NFS share
- set up a DNS server running inside a jail (separate IP) on the FreeNAS box. My router is pointing all clients to use that as their DNS server
- set up a Kerberos server inside a jail (another separate IP) on the FreeNAS. After creating the jail, I followed these instructions: https://www.freebsd.org/doc/handbook/kerberos5.html
- added the kerberos realm and keytab on the FreeNAS using the Web UI (keytab contains a principal named "nfs/FreeNAS.home@HOME" which I created inside the kerberos jail)
- I have another keytab for a Debian PC client ("nfs/Client.home@HOME")
I can request a ticket from the Debian client machine (I changed the real hostnames to Client and FreeNAS):
Code:
root@Client:/media# kinit -t /etc/krb5.keytab -k nfs/Client.home root@Client:/media# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/Client.home@HOME Valid starting Expires Service principal
However, I am having trouble mounting the NFS share (I changed the real hostnames to Client and FreeNAS):
Code:
root@Client:/media# mount -v -t nfs4 -o sec=krb5p FreeNAS:/mnt/data/users/ /media/FreeNas/ mount.nfs4: timeout set for Tue Jul 21 07:56:27 2020 mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=<FreeNASIP>,clientaddr=<ClientIP>' mount.nfs4: mount(2): Protocol not supported mount.nfs4: trying text-based options 'sec=krb5p,vers=4.1,addr=<FreeNASIP>,clientaddr=<ClientIP>' mount.nfs4: mount(2): Operation not permitted mount.nfs4: trying text-based options 'sec=krb5p,addr=<FreeNASIP>' mount.nfs4: prog 100003, trying vers=3, prot=6 mount.nfs4: trying <FreeNASIP> prog 100003 vers 3 prot TCP port 2049 mount.nfs4: prog 100005, trying vers=3, prot=17 mount.nfs4: trying <FreeNASIP> prog 100005 vers 3 prot UDP port 869 mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting FreeNAS:/mnt/data/users/
Meanwhile in the FreeNAS NFS server I can see this in the logs:
Code:
Jul 21 07:54:04 FreeNAS mountd[6223]: mount request succeeded from <ClientIP> for /mnt/data/users
I was wondering if anyone had ideas as to what I could be doing wrong