[Bug 294501] Cannot Mount Jailed Kerberized NFSv4 Server Exports After Upgrade to 15.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294501

            Bug ID: 294501
           Summary: Cannot Mount Jailed Kerberized NFSv4 Server Exports
                    After Upgrade to 15.0
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: fntms@pryse.net

I have been running jailed kerberized NFSv4 server for many months on FreeBSD
14.x (latest being 14.3). I have been mounting exports from this server on my
linux clients and the server has been working flawlessly. After an attempted
upgrade to 15.0-RELEASE, I can no longer mount any of the exports. the mount
fails with a "Permission Denied" error. I have replicated the server
configuration on a non-jailed host and have no problem mounting the shares.

When running gssd in verbose mode on the 15.0 jail, I see no evidence in
daemon.log of any upcalls from the kgssapi kernel module in the jail.
Conversely, when running the server with 14.3 or on an unjailed host, I see the
expected upcalls to get names and credentials in the jail and ultimately
authentication is successful.

Examining source code for gssd, I noticed a change in IPC (kernel to gssd)
strategy from using local unix sockets on 14.x to using Netlink multicast on
15.0. In reading reading man pages, web articles and other literature on the
subject, I am unclear whether the boundary/scope of Netlink multicast traffic
is the machine or the network stack. If it is the later, it seems that Netlink
multicast was not designed to traverse bridges and epairs to another VNET and
that would certainly explain why gssd is not working in a VNET jail.

-- 
You are receiving this mail because:
You are the assignee for the bug.