Bug 491740 - export of an NFSV3 file system via kerberos requires AUTH_SYS as well
export of an NFSV3 file system via kerberos requires AUTH_SYS as well
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.2
x86_64 Linux
low Severity high
: rc
: ---
Assigned To: Steve Dickson
Boris Ranto
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-23 15:52 EDT by bmsco123
Modified: 2011-07-21 06:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 06:29:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Backported Upstream patch (6.20 KB, patch)
2011-04-29 13:57 EDT, Steve Dickson
no flags Details | Diff

  None (edit)
Description bmsco123 2009-03-23 15:52:29 EDT
Description of problem:

I'm running Red Hat Enterprise Linux 5.2 and set up the system to properly use Kerberos for authentication via an Active Directory server. I am using nfs-utils-1.0.9 package. When I export a file system for NFS v3 via Kerberos, I seem to be required to also export it via AUTH_SYS.

A simple example of /etc/exports is as follows:

/mnt gss/krb5(rw)

When I mount it from the client system via:
mount -t nfs -o "sec=krb5" 10.30.252.87:/mnt /mnt

I get back the error:
mount: 10.30.252.87:/mnt_psfs failed, reason given by server: Permission denied

The fix that seems to work is to modify /etc/exports as follows:
/mnt *(rw)
/mnt(gss/krb5(rw)

This then allows me to mount the NFS file system via either AUTH_SYS or Kerberos.

I found some posts on the web that indicate this is a known problem but I can't find a bug report in bugzilla on it. Is this by design or is there plans to fix this? It means that NFSV3 isn't really secure via kerberos because it also has to be exported via AUTH_SYS.

Version-Release number of selected component (if applicable):
nfs-utils-1.0.9
red hat enterprise Linux 5.2.

How reproducible:
100% of the time. 

Steps to Reproduce:
1.Setup the system to talk to an AD server via Kerberos (there are a lot of steps to do this).
2.Create /etc/exports with the following export:
/mnt gss/krb5(rw)
3.Run exportfs -r
4. Try to mount that share from a client system via:
mount -t nfs -o "sec=krb5" <ipaddress>:/mnt /mnt

this will fail.

5. Modify /etc/exports to have the additional line:
/mnt *(rw)
and run exportfs -r and the mount will now work.
  
Actual results:
mount: 10.30.252.87:/mnt_psfs failed, reason given by server: Permission denied


Expected results:
The mount should succeed.

Additional info: I think this may be a known problem but can't find a bug report on it. I also can't find any patches for it. As far as I can tell this is specific to NFSV3. Any help would be appreciated on this as it makes NFSV3 exported shares unsecure. Thanks.
Comment 1 J. Bruce Fields 2010-07-29 17:06:39 EDT
This should be fixed in current upstream (as of, I think, 04716e6621 kernel commit and 173ac3cc nfs-utils commit).  I haven't checked RHEL5 yet.
Comment 2 Steve Dickson 2011-04-28 15:01:02 EDT
(In reply to comment #1)
> This should be fixed in current upstream (as of, I think, 04716e6621 kernel
> commit and 173ac3cc nfs-utils commit).  I haven't checked RHEL5 yet.

It turns out that nfs-utils already has commit 173ac3cc. It went
in as the fix for bz315401. So all that's need is the kernel part.
Comment 3 Steve Dickson 2011-04-29 13:57:17 EDT
Created attachment 495827 [details]
Backported Upstream patch
Comment 5 Jarod Wilson 2011-05-13 18:17:34 EDT
Patch(es) available in kernel-2.6.18-261.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.
Comment 13 errata-xmlrpc 2011-07-21 06:29:41 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1065.html

Note You need to log in before you can comment on or make changes to this bug.