Setting up NFSv4 and Kerberos

bodwin

Cadet
Joined
Jul 20, 2020
Messages
1
I am setting up a FreeNAS box, running on my LAN which will be hosting photos and documents, which I would like to keep safe (will back up to the cloud). I would like to share the files on my LAN using NFSv4 with Kerberos authentication, as want to control access to the files on a user level.

So far I have done the following:
- running FreeNAS-11.3-U3.2
- enabled NFSv4 in the NFS settings and set up an NFS share
- set up a DNS server running inside a jail (separate IP) on the FreeNAS box. My router is pointing all clients to use that as their DNS server
- set up a Kerberos server inside a jail (another separate IP) on the FreeNAS. After creating the jail, I followed these instructions: https://www.freebsd.org/doc/handbook/kerberos5.html
- added the kerberos realm and keytab on the FreeNAS using the Web UI (keytab contains a principal named "nfs/FreeNAS.home@HOME" which I created inside the kerberos jail)
- I have another keytab for a Debian PC client ("nfs/Client.home@HOME")

I can request a ticket from the Debian client machine (I changed the real hostnames to Client and FreeNAS):
Code:
root@Client:/media# kinit -t /etc/krb5.keytab -k nfs/Client.home
root@Client:/media# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/Client.home@HOME

Valid starting     Expires            Service principal


However, I am having trouble mounting the NFS share (I changed the real hostnames to Client and FreeNAS):

Code:
root@Client:/media# mount -v -t nfs4 -o sec=krb5p FreeNAS:/mnt/data/users/ /media/FreeNas/
mount.nfs4: timeout set for Tue Jul 21 07:56:27 2020
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=<FreeNASIP>,clientaddr=<ClientIP>'
mount.nfs4: mount(2): Protocol not supported
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.1,addr=<FreeNASIP>,clientaddr=<ClientIP>'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: trying text-based options 'sec=krb5p,addr=<FreeNASIP>'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: trying <FreeNASIP> prog 100003 vers 3 prot TCP port 2049
mount.nfs4: prog 100005, trying vers=3, prot=17
mount.nfs4: trying <FreeNASIP> prog 100005 vers 3 prot UDP port 869
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting FreeNAS:/mnt/data/users/


Meanwhile in the FreeNAS NFS server I can see this in the logs:
Code:
Jul 21 07:54:04 FreeNAS mountd[6223]: mount request succeeded from <ClientIP> for /mnt/data/users


I was wondering if anyone had ideas as to what I could be doing wrong
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
It's some time since I went through a similar exercise in configuring NFSv4. My setup was not permanent and I used the Heimdal rather than the MIT variant of kerberos. IIRC I had to add "default_realm = <your REALM> " to kerberos settings in Libdefaults auxiliary parameters box. Don't know if I've read your post correctly, but doesn't FreeNAS only need the keytab for the FN host and its nfs service from the KDC? As to the client, what principals have you setup for it on the KDC? I assume you've at least setup "/etc/default/nfs-common" on the the debian client to use both IDMAPD and GSSD.

TBH, my memory is a bit hazy on this now. Using SMB shares in Linux is less hassle in many ways.
 

francisaugusto

Contributor
Joined
Nov 16, 2018
Messages
153
Same problem here, and no idea why it doesn't work. Did you fix it, @bodwin ?
 
Top