Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.9.0.z, rhel-9.3.0.z
Component/s: krb5
Labels:
- NFS
- kerberos

Pool Team:

sst_idm_ipa
Sub-System Group:

ssg_idm

Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Links:

Description

With a CentOS Stream 8 system running an NFS server, a principal and keytab is generated to allow for kerberized NFS. The keytabs are requested from IPA that are running on CentOS Stream 9.

```
% ipa service-add nfs/stream8.vbox.angelsofclockwork.net
% ipa-getkeytab -s ipa01.angelsofclockwork.net -p nfs/stream8.vbox.angelsofclockwork.net -k /etc/krb5.keytab
% cat /etc/exports
/export/krb *(rw,all_squash,sec=krb5:krb5i:krb5p)

% exportfs -arv
exporting *:/export/krb

% systemctl enable nfs-server --now
```

Versions:

CentOS Stream 8: krb5-1.18.2-26.el8
CentOS Stream 9: krb5-1.21.1-1.el9

NFS mounts using sec=krb5 have stopped working entirely as a client, presenting "permission denied" and then "access denied".

```

mount -vvvv -t nfs -o sec=krb5 stream8.vbox.angelsofclockwork.net:/export/krb /mnt
mount.nfs: timeout set for Tue Dec 5 19:20:56 2023
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=dead::beef::17,clientaddr=dead::beef::18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=10.100.0.17,clientaddr=10.100.0.18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=dead::beef::17,clientaddr=dead::beef::18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=10.100.0.17,clientaddr=10.100.0.18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=dead::beef::17,clientaddr=dead::beef::18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=10.100.0.17,clientaddr=10.100.0.18'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,addr=dead::beef::17'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying dead::beef::17 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying dead::beef::17 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,addr=10.100.0.17'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.100.0.17 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.100.0.17 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting stream8.vbox.angelsofclockwork.net:/export/krb
```

On the server side, rpc.mountd will show this:

```
Dec 04 11:04:29 stream8.vbox.angelsofclockwork.net rpc.mountd[12667]: granted access to /export/krb for *.angelsofclockwork.net,10.100.0.0/24
```

What works:

CentOS Stream 8 server and CentOS Stream 8 client.
CentOS Stream 9 server and CentOS Stream 8 client.
CentOS Stream 9 server and CentOS Stream 9 client.

What doesn't work:

CentOS Stream 8 server and CentOS Stream 9 client
CentOS Stream 8 server and Fedora client

It is likely this is also broken with Red Hat Enterprise Linux. However I have not renewed my subscription yet to try to stand up systems to verify. As far as I can tell, the kerberos versions should be close if not the same between Stream and RHEL at this present time, so the behavior should be similar.

Attachments

Activity

People

Assignee:: Julien Rische

Reporter:: Louis Abel

Developer:: Julien Rische

QA Contact:: IPA QE Bot

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023/12/31 1:46 AM

Updated:: 2024/02/13 1:35 PM