Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Unable to add krb5$ security to an NFS share.

krbyerdog

Neophyte
Joined
Oct 1, 2020
Messages
4
Hello everyone,

I've had a search of the forums over the past few days and don't seem to be able to find anything about this issue, so here goes:

Attempting to enable any kind of krb5 security from the TrueNAS 12 RC2 GUI results in the following error;

Code:
freenas "[security] Item#0 is not valid per list types: [provider] Invalid choice: krb5p"


Full traceback as follows;

Code:
Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1191, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 455, in create
    rv = await self.middleware._call(
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1191, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 972, in nf
    args, kwargs = clean_and_validate_args(args, kwargs)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 930, in clean_and_validate_args
    value = attr.clean(args[args_index + i])
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 607, in clean
    data[key] = attr.clean(value)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 470, in clean
    raise Error(self.name, 'Item#{0} is not valid per list types: {1}'.format(index, found))
middlewared.schema.Error: [security] Item#0 is not valid per list types: [provider] Invalid choice: krb5p


I'm running in an LDAP environment with domain membership and kerberos keytabs properly imported. I can kinit all domain accounts and there's an nfs service principal for freenas under the correct hostname.


One peculiar issue is that even though NFS4 is enabled, rpcinfo from another machine shows the following;

Code:
    100003    2    tcp       0.0.0.0.8.1            nfs        superuser
    100003    3    tcp       0.0.0.0.8.1            nfs        superuser
    100024    1    udp6      ::.3.47                status     superuser
    100024    1    tcp6      ::.3.47                status     superuser
    100024    1    udp       0.0.0.0.3.47           status     superuser
    100024    1    tcp       0.0.0.0.3.47           status     superuser
    100021    0    udp6      ::.3.141               nlockmgr   superuser
    100021    0    tcp6      ::.3.253               nlockmgr   superuser
    100021    0    udp       0.0.0.0.2.168          nlockmgr   superuser
    100021    0    tcp       0.0.0.0.3.254          nlockmgr   superuser
    100021    1    udp6      ::.3.141               nlockmgr   superuser
    100021    1    tcp6      ::.3.253               nlockmgr   superuser
    100021    1    udp       0.0.0.0.2.168          nlockmgr   superuser
    100021    1    tcp       0.0.0.0.3.254          nlockmgr   superuser
    100021    3    udp6      ::.3.141               nlockmgr   superuser
    100021    3    tcp6      ::.3.253               nlockmgr   superuser
    100021    3    udp       0.0.0.0.2.168          nlockmgr   superuser
    100021    3    tcp       0.0.0.0.3.254          nlockmgr   superuser
    100021    4    udp6      ::.3.141               nlockmgr   superuser
    100021    4    tcp6      ::.3.253               nlockmgr   superuser
    100021    4    udp       0.0.0.0.2.168          nlockmgr   superuser
    100021    4    tcp       0.0.0.0.3.254          nlockmgr   superuser


It seems NFSv4x isn't available despite being enabled in the gui.

Cat of /etc/exports however;

Code:
V4: / -sec=sys:krb5:krb5i:krb5p
...
...
...
..
.



I am very keen on working out some security for my network shares, but between being slowed down by ldap-related bugs (I still can't enable encryption for the ldap bind, for instance without a similar middleware error) and other issues which have only recently been resolved, I'm starting to feel i'd be better served by building a fileserver off something which plays nicer in non-ad domain environments.

Does anyone have any ideas of what I could try next?
 
Top