Hello everyone,
I've had a search of the forums over the past few days and don't seem to be able to find anything about this issue, so here goes:
Attempting to enable any kind of krb5 security from the TrueNAS 12 RC2 GUI results in the following error;
Full traceback as follows;
I'm running in an LDAP environment with domain membership and kerberos keytabs properly imported. I can kinit all domain accounts and there's an nfs service principal for freenas under the correct hostname.
One peculiar issue is that even though NFS4 is enabled, rpcinfo from another machine shows the following;
It seems NFSv4x isn't available despite being enabled in the gui.
Cat of /etc/exports however;
I am very keen on working out some security for my network shares, but between being slowed down by ldap-related bugs (I still can't enable encryption for the ldap bind, for instance without a similar middleware error) and other issues which have only recently been resolved, I'm starting to feel i'd be better served by building a fileserver off something which plays nicer in non-ad domain environments.
Does anyone have any ideas of what I could try next?
I've had a search of the forums over the past few days and don't seem to be able to find anything about this issue, so here goes:
Attempting to enable any kind of krb5 security from the TrueNAS 12 RC2 GUI results in the following error;
Code:
freenas "[security] Item#0 is not valid per list types: [provider] Invalid choice: krb5p"
Full traceback as follows;
Code:
Error: Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self, File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1191, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 455, in create rv = await self.middleware._call( File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1191, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 972, in nf args, kwargs = clean_and_validate_args(args, kwargs) File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 930, in clean_and_validate_args value = attr.clean(args[args_index + i]) File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 607, in clean data[key] = attr.clean(value) File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 470, in clean raise Error(self.name, 'Item#{0} is not valid per list types: {1}'.format(index, found)) middlewared.schema.Error: [security] Item#0 is not valid per list types: [provider] Invalid choice: krb5p
I'm running in an LDAP environment with domain membership and kerberos keytabs properly imported. I can kinit all domain accounts and there's an nfs service principal for freenas under the correct hostname.
One peculiar issue is that even though NFS4 is enabled, rpcinfo from another machine shows the following;
Code:
100003 2 tcp 0.0.0.0.8.1 nfs superuser 100003 3 tcp 0.0.0.0.8.1 nfs superuser 100024 1 udp6 ::.3.47 status superuser 100024 1 tcp6 ::.3.47 status superuser 100024 1 udp 0.0.0.0.3.47 status superuser 100024 1 tcp 0.0.0.0.3.47 status superuser 100021 0 udp6 ::.3.141 nlockmgr superuser 100021 0 tcp6 ::.3.253 nlockmgr superuser 100021 0 udp 0.0.0.0.2.168 nlockmgr superuser 100021 0 tcp 0.0.0.0.3.254 nlockmgr superuser 100021 1 udp6 ::.3.141 nlockmgr superuser 100021 1 tcp6 ::.3.253 nlockmgr superuser 100021 1 udp 0.0.0.0.2.168 nlockmgr superuser 100021 1 tcp 0.0.0.0.3.254 nlockmgr superuser 100021 3 udp6 ::.3.141 nlockmgr superuser 100021 3 tcp6 ::.3.253 nlockmgr superuser 100021 3 udp 0.0.0.0.2.168 nlockmgr superuser 100021 3 tcp 0.0.0.0.3.254 nlockmgr superuser 100021 4 udp6 ::.3.141 nlockmgr superuser 100021 4 tcp6 ::.3.253 nlockmgr superuser 100021 4 udp 0.0.0.0.2.168 nlockmgr superuser 100021 4 tcp 0.0.0.0.3.254 nlockmgr superuser
It seems NFSv4x isn't available despite being enabled in the gui.
Cat of /etc/exports however;
Code:
V4: / -sec=sys:krb5:krb5i:krb5p ... ... ... .. .
I am very keen on working out some security for my network shares, but between being slowed down by ldap-related bugs (I still can't enable encryption for the ldap bind, for instance without a similar middleware error) and other issues which have only recently been resolved, I'm starting to feel i'd be better served by building a fileserver off something which plays nicer in non-ad domain environments.
Does anyone have any ideas of what I could try next?