On 22-02-17 14:05, Brendan Kearney wrote:
> On 02/22/2017 05:23 AM, Kees Bakker wrote:
>> On 21-02-17 19:49, Brendan Kearney wrote:
>>> On 02/21/2017 10:57 AM, Kees Bakker wrote:
>>>> Hey,
>>>>
>>>> Maybe one of the NFS users on this list could give me a hint what
>>>> could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos.
>>>>
>>>> I've set up an NFS server and I can mount the NFS directory on my client. 
>>>> So, I'm
>>>> guessing that setting up Kerberos principal was done correctly.
>>>>
>>>> However, only root can actually access the mounted contents. Any other user
>>>> only sees question marks as shown below.
>>>>
>>>> The mount command is simple.
>>>> $ sudo mount -v -t nfs srv1.example.com:/home /nfshome
>>>> mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
>>>> mount.nfs: trying text-based options 
>>>> 'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'
>>>>
>>>> On the server side /etc/exports looks like this.
>>>> /home        *(rw,sync,sec=krb5i,no_subtree_check)
>>>>
>>>> $ sudo mount |grep nfs
>>>> srv1.example.com:/home on /nfshome type nfs4 
>>>> (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)
>>>>
>>>> $ sudo ls -ld /nfshome
>>>> drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
>>>> $ sudo ls -l /nfshome
>>>> total 0
>>>> drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb
>>>>
>>>> $ ls -l /nfshome
>>>> ls: cannot access '/nfshome': Permission denied
>>>> $ ls -l / | grep nfshome
>>>> ls: cannot access '/nfshome': Permission denied
>>>> d?????????   ? ?    ?       ?            ? nfshome
>>>>
>>> sec=krb* means that the user accessing the mount has to authenticate with a 
>>> kerberos ticket, and has to be the user or in the group granted access to 
>>> the share.  from the looks of things, the user did not authenticate, and 
>>> that is why the permissions are question marks.  check the kerberos tickets 
>>> that the user has (klist output).  Otherwise, the ownership might be user 
>>> and group that the client machine does not recognize (think posix 
>>> user/group that is not in sync between the NFS server and the client)
>> Thanks for the reply.
>>
>> In this case the user _is_ authenticated.
>> keesb@client1:~$ klist
>> Ticket cache: KEYRING:persistent:60001:60001
>> Default principal: ke...@example.com
>>
>> Valid starting     Expires            Service principal
>> 22-02-17 09:20:30  23-02-17 09:20:25  krbtgt/example....@example.com
> no, the user has a TGT.  a nfs/host.domain.tld@REALM ticket is needed to 
> authenticate.

(( I'm trying to catch up on the acronyms. TGT. Reading wikipedia now. ))

>>
>> What other grants could be needed? HBAC Rules?
>>
>> Do I need an nfs principal for the client? (I didn't think so, but many 
>> HOWTO's say so [2]. Anyway, it
>> doesn't help to get access for the user.)
> there are principals to create and keytabs to be updated on hte NFS sever, if 
> not done already.

I did create a principal for the NFS server (using ipa service-add) and
add to the keytab on the NFS server (using ipa-getkeytab) ...
root@srv1# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/srv1.example....@example.com (aes256-cts-hmac-sha1-96)
   1 host/srv1.example....@example.com (aes128-cts-hmac-sha1-96)
   1 nfs/srv1.example....@example.com (aes256-cts-hmac-sha1-96)
   1 nfs/srv1.example....@example.com (aes128-cts-hmac-sha1-96)

Is this what you mean?

>   then the user should be able to pull the ticket for auth.

Sorry to ask, but how do I do that? On the client, I suppose, and by the user ??

keesb@client1$ kinit nfs/srv1.example....@example.com
Password for nfs/srv1.example....@example.com:

But I don't have a password for that. Hmm.

>>
>> Furthermore, I'm guessing that the host principle which I got after 
>> ipa-client-install is
>> good enough. (This [1] wiki suggests that I need to do a ipa-getkeytab for 
>> it, which I
>> did not do.)
>> # klist -ke
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>     1 host/client1.example....@example.com (aes256-cts-hmac-sha1-96)
>>     1 host/client1.example....@example.com (aes128-cts-hmac-sha1-96)
>>
>> [1] http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>> [2] https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/
>
> http://www.itp.uzh.ch/~dpotter/howto/kerberos
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to