Re: Kerberized NFSv4: wrong security flavor

In reply to: Arno Thuber : "Kerberized NFSv4: wrong security flavor"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rmacklem_at_uoguelph.ca>
Date: Sun, 06 Feb 2022 21:20:50 UTC
Arno Thuber wrote:
> Hello there,
>
> for weeks I'm trying to get kerberized NFSv4 working on a FreeBSD server. > Originally I tried using a Linux client which didn't work, so I now switched
> to a FreeBSD client which doesn't work either but with another error. 
> Remark: Linux server and client are working with the same KDC.
>
> It feels I've ready each and every tutorial on kerberized NFS but just don't
> see the error.
>
> But now for the error on the FreeBSD client:
> root@freebsd-client: # mount -vvv -o nfsv4,sec=krb5 
> freebsd.fqdn:/srv/nfsshare /mnt/nfs/
> mount_nfs: nmount: /mnt/nfs, wrong security flavor
On the server, you must have sec=krb5 on the exports line(s)
for the file system and on the "V4:" line.

On the client, you either have to have a valid TGT in the cred. cache
for uid 0
OR
have a host based kerberos principal in /etc/krb5.keytab that looks like:

host/<fqdn-of client-in-lower-case>@YOUR.REALM
For example:
host/nfs-client.my.dns.domain@MY.REALM
(Not host/nfs-client@MY.REALM or host/Nfs-Client@MY.REALM)
You can check this keytab entry works by doing
# kinit -k host/nfs-client.my.dns.domain
# klist
--> You should have a TGT in the root credential cache.
(When the gssd does this, it will end up in /tmp/krb5cc_gssd, but
 kinit -k will put it in /tmp/krb5cc_0, which is ok, since kinit -k is
 just testing the keytab entry.)

--> Then you must specify "gssname=host" as an argument for the mount.
The gssd must be running on both client and server.

If you still don't get it working, run the gssd with "-v" and look at
log messages (I think it does LOG_DAEMON | LOG_INFO to syslogd).

If you post again, include the /etc/exports file that you have on the server.

rick
ps: It used AUTH_SYS below as a fallback, since it could not create/find
     a TGT, I think?

And what Wireshark shows fits the message:
Remote Procedure Call, Type:Call XID:0x69cd8522
    Fragment header: Last fragment, 152 bytes
    XID: 0x69cd8522 (1775076642)
    Message Type: Call (0)
    RPC Version: 2
    Program: NFS (100003)
    Program Version: 4
    Procedure: COMPOUND (1)
    [The reply to this request is in frame 16]
    Credentials
        Flavor: AUTH_UNIX (1)
        Length: 56
        Stamp: 0x61ffd269
        Machine Name: freebsd-client.local.eyserver.de<http://freebsd-client.local.eyserver.de>
            length: 32
            contents: freebsd-client.local.eyserver.de<http://freebsd-client.local.eyserver.de>
        UID: 0
        GID: 0
        Auxiliary GIDs (1) [5]
    Verifier
        Flavor: AUTH_NULL (0)
        Length: 0

GSSD is running and also seems to be in the loop (shows output on mount when run as gssd -vhd) but it seems just right away ignores the request for krb5.
Do you have any ideas on this? Or at least what I can do to debug this?

FreeBSD used is 13.0-RELEASE.

Regards,
Arno