Bug 1018606 - Kerberized NFS fails, but still creates a side pane entry in nautilus
Kerberized NFS fails, but still creates a side pane entry in nautilus
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: nfs-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-13 14:39 EDT by David Jones
Modified: 2016-09-06 16:37 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 12:39:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jones 2013-10-13 14:39:08 EDT
Description of problem:
After installing freeIPA on my Fedora 19 server and client, and then set NFS, following the instructions for kerberized NFS meticulously.

However, attempting to mount and export results in either "operation not permitted" or "access denied." Even with the -vvv option, this is all I get.


Version-Release number of selected component (if applicable):


How reproducible:
Always.


Steps to Reproduce:
1. Associate NFS client and server to IPA realm.
2. Configure kerberized NFS.
3. Attempt to mount.

Actual results:
Access denied or operation not permitted. Verbose output does nothing.


Expected results:
Successfully mount export. Verbose output that's actually verbose.


Additional info:
First I ran ipa-client-install on the client and NFS server. I ran kinit on both, with no errors.

After creating the NFS principal for both server and client:
On server:
ipa-get-keytab nfs/nfs.my.dom@MY.DOM -k /etc/krb5.keytab
On client:
ipa-get-keytab nfs/client.my.dom@MY.DOM -k /etc/krb5.keytab

In /etc/exports:
/home/myuser *(rw,sec=krb5,sync)

It's not clear how to enable the necessary services in the instructions, but this is what I did:
On server:
systemctl enable nfs-server.service
systemctl enable nfs-secure.service
systemctl enable nfs-secure-server.service
systemctl start nfs-server.service
systemctl start nfs-secure.service
systemctl start nfs-secure-server.service

On client:
systemctl enable nfs-idmap.service
systemctl enable nfs-secure.service
systemctl enable rcpbind.service
systemctl start nfs-idmap.service
systemctl start nfs-secure.service
systemctl start rcpbind.service

Disabled the firewall on server and client:
systemctl stop firewalld.service

Attempting the mount from the client:
mount -vvv -t nfs4 -o sec=krb5 nfs.my.dom:/home/myuser ~/NFSHOME
mount.nfs4 operation not permitted.

If I change the export to:
/home/myuser *(rw, sec=sys:krb5, sync)

I get:
mount.nfs4: access denied by server while mounting (null)

If I try to mount on the server to localhost, I get:
mount -vvv -t nfs4 -o sec=krb5p localhost:/home/myuser /mnt
mount.nfs4 mount(2): Permission Denied
mount.nfs4: access denied by server while mounting localhost:/home/myuser

If I change the export security to sec=sys:krb5, it mounts successfully, on localhost.

I set the RPCGSSDARGS and RPCSVCGSSDARGS to -vvv on both client and server, but, as you can see, the "verbose" output is pretty scant.

I tried setting selinux to permissive mode on both machines, but no luck.

The output of klist -k /etc/krb5.keytab on both machines shows valid nfs and host principles.

I've set this up sucessfully with RHEL 6 servers before. So what's difference here? Is this a bug in Fedora 19.
Comment 1 David Jones 2013-10-14 12:03:35 EDT
Even though the mount failed, an entry for it showed up in Nautilus. After moving my laptop to another location outside the LAN, nautilus and gnome-terminal hung and the system had to be rebooted to fix it. I tried opening new terminals, but they hung as well. shutdown took a long time, probably because the system was trying to "unmount" the NFS export.
Comment 2 Martin Kosek 2013-10-25 09:39:18 EDT
Thanks for the report and sorry for long wait. This looks as a general NFS issue, moving to nfs-utils component for advise what should be done with it.
Comment 3 David Jones 2013-10-31 11:22:58 EDT
Update. I've pulled in all the latest updates, including several for kerberos and IPA, and the problem persists.
Comment 4 Simo Sorce 2013-10-31 12:07:59 EDT
(In reply to David Jones from comment #0)
> Description of problem:
> After installing freeIPA on my Fedora 19 server and client, and then set
> NFS, following the instructions for kerberized NFS meticulously.
> 
> However, attempting to mount and export results in either "operation not
> permitted" or "access denied." Even with the -vvv option, this is all I get.
> 
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> Always.
> 
> 
> Steps to Reproduce:
> 1. Associate NFS client and server to IPA realm.
> 2. Configure kerberized NFS.
> 3. Attempt to mount.
> 
> Actual results:
> Access denied or operation not permitted. Verbose output does nothing.
> 
> 
> Expected results:
> Successfully mount export. Verbose output that's actually verbose.
> 
> 
> Additional info:
> First I ran ipa-client-install on the client and NFS server. I ran kinit on
> both, with no errors.
> 
> After creating the NFS principal for both server and client:
> On server:
> ipa-get-keytab nfs/nfs.my.dom@MY.DOM -k /etc/krb5.keytab
> On client:
> ipa-get-keytab nfs/client.my.dom@MY.DOM -k /etc/krb5.keytab
> 
> In /etc/exports:
> /home/myuser *(rw,sec=krb5,sync)
> 
> It's not clear how to enable the necessary services in the instructions, but
> this is what I did:
> On server:
> systemctl enable nfs-server.service
> systemctl enable nfs-secure.service
> systemctl enable nfs-secure-server.service
> systemctl start nfs-server.service
> systemctl start nfs-secure.service
> systemctl start nfs-secure-server.service

You should start only nfs-secure-server.service otherwise nfsd will not be told the right options I think.

> On client:
> systemctl enable nfs-idmap.service
> systemctl enable nfs-secure.service
> systemctl enable rcpbind.service
> systemctl start nfs-idmap.service
> systemctl start nfs-secure.service
> systemctl start rcpbind.service

only nfs-secure.service is necessary, it takes care of the right order for dependencies.

> Disabled the firewall on server and client:
> systemctl stop firewalld.service
> 
> Attempting the mount from the client:
> mount -vvv -t nfs4 -o sec=krb5 nfs.my.dom:/home/myuser ~/NFSHOME
> mount.nfs4 operation not permitted.

Seem like krb5 auth is not supported, perhaps due to starting the non-"secure" service first ?

> If I change the export to:
> /home/myuser *(rw, sec=sys:krb5, sync)
> 
> I get:
> mount.nfs4: access denied by server while mounting (null)
> 
> If I try to mount on the server to localhost, I get:
> mount -vvv -t nfs4 -o sec=krb5p localhost:/home/myuser /mnt


This is using sys auth as using 'localhost' will never work with krb5.
However I am confused, I thought you had a separate client and server ?

> mount.nfs4 mount(2): Permission Denied
> mount.nfs4: access denied by server while mounting localhost:/home/myuser
> 
> If I change the export security to sec=sys:krb5, it mounts successfully, on
> localhost.

Using sys auth, not krb5.

> I set the RPCGSSDARGS and RPCSVCGSSDARGS to -vvv on both client and server,
> but, as you can see, the "verbose" output is pretty scant.
> 
> I tried setting selinux to permissive mode on both machines, but no luck.
> 
> The output of klist -k /etc/krb5.keytab on both machines shows valid nfs and
> host principles.
> 
> I've set this up sucessfully with RHEL 6 servers before. So what's
> difference here? Is this a bug in Fedora 19.

can you use rpcdebug -m rpm -s all and see what you get in syslog ?
Comment 5 Simo Sorce 2013-10-31 12:09:21 EDT
Btw moving back to nfs-utils, this is not a freeipa issue.
Comment 6 Simo Sorce 2013-10-31 12:12:16 EDT
Just one more comment, can you verify that the server's key in the server keytab uses the server's fqdn: nfs/<server fqdn name>@REALM and the client's key in the client keytab uses the client fqdn and that both server and client can resolve each other ?
Comment 7 David Jones 2013-11-02 18:44:48 EDT
Yes. Using only nfs-secure-server and nfs-secure worked. Thank you. Is this documented somewhere? I looked everywhere and couldn't find the instructions for using NFS with systemd. 

I do have a separate client and server, but trying to mount over localhost from the server was in the NFS troubleshooting steps. To make sure it's not a network issue. 

So it looks like this is actually a documentation bug.
Comment 8 Simo Sorce 2013-11-03 17:41:09 EST
The distincion between the 2 services is probably to complicated.

SteveD what about we provide only 1 script for the server and only one for the client and just have a sysnconfig option to say secure = yes|no ?

With secure being on by default ?
It seem like it would cause a lot less confusion IMO.
Comment 9 David Jones 2013-11-05 13:23:22 EST
"systemctl status rpcbind" returns:

   Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; disabled)
   Active: failed (Result: exit-code) since Tue 2013-11-05 13:19:19 EST; 12s ago
  Process: 2769 ExecStart=/sbin/rpcbind -w ${RPCBIND_ARGS} (code=exited, status=0/SUCCESS)
 Main PID: 2770 (code=exited, status=2)
   CGroup: name=systemd:/system/rpcbind.service

Nov 05 13:09:57 host.example.com systemd[1]: Started RPC bind service.
Nov 05 13:19:19 host.example.com systemd[1]: Stopping RPC bind service...
Nov 05 13:19:19 host.example.com rpcbind[2770]: rpcbind terminating on signal. Restart with "rpcbind -w"
Nov 05 13:19:19 host.example.com systemd[1]: rpcbind.service: main process exited, code=exited, stat...MENT
Nov 05 13:19:19 host.example.com systemd[1]: Stopped RPC bind service.
Nov 05 13:19:19 host.example.com systemd[1]: Unit rpcbind.service entered failed state.


Shouldn't nfs-secure-server have started the rpcbind service. If I start it explicitly, it loads without errors.
Comment 10 Fedora End Of Life 2015-01-09 15:14:09 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 11 Fedora End Of Life 2015-02-17 12:39:32 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.