Description of problem: I'm running Red Hat Enterprise Linux 5.2 and set up the system to properly use Kerberos for authentication via an Active Directory server. I am using nfs-utils-1.0.9 package. When I export a file system for NFS v3 via Kerberos, I seem to be required to also export it via AUTH_SYS. A simple example of /etc/exports is as follows: /mnt gss/krb5(rw) When I mount it from the client system via: mount -t nfs -o "sec=krb5" 10.30.252.87:/mnt /mnt I get back the error: mount: 10.30.252.87:/mnt_psfs failed, reason given by server: Permission denied The fix that seems to work is to modify /etc/exports as follows: /mnt *(rw) /mnt(gss/krb5(rw) This then allows me to mount the NFS file system via either AUTH_SYS or Kerberos. I found some posts on the web that indicate this is a known problem but I can't find a bug report in bugzilla on it. Is this by design or is there plans to fix this? It means that NFSV3 isn't really secure via kerberos because it also has to be exported via AUTH_SYS. Version-Release number of selected component (if applicable): nfs-utils-1.0.9 red hat enterprise Linux 5.2. How reproducible: 100% of the time. Steps to Reproduce: 1.Setup the system to talk to an AD server via Kerberos (there are a lot of steps to do this). 2.Create /etc/exports with the following export: /mnt gss/krb5(rw) 3.Run exportfs -r 4. Try to mount that share from a client system via: mount -t nfs -o "sec=krb5" <ipaddress>:/mnt /mnt this will fail. 5. Modify /etc/exports to have the additional line: /mnt *(rw) and run exportfs -r and the mount will now work. Actual results: mount: 10.30.252.87:/mnt_psfs failed, reason given by server: Permission denied Expected results: The mount should succeed. Additional info: I think this may be a known problem but can't find a bug report on it. I also can't find any patches for it. As far as I can tell this is specific to NFSV3. Any help would be appreciated on this as it makes NFSV3 exported shares unsecure. Thanks.
This should be fixed in current upstream (as of, I think, 04716e6621 kernel commit and 173ac3cc nfs-utils commit). I haven't checked RHEL5 yet.
(In reply to comment #1) > This should be fixed in current upstream (as of, I think, 04716e6621 kernel > commit and 173ac3cc nfs-utils commit). I haven't checked RHEL5 yet. It turns out that nfs-utils already has commit 173ac3cc. It went in as the fix for bz315401. So all that's need is the kernel part.
Created attachment 495827 [details] Backported Upstream patch
Patch(es) available in kernel-2.6.18-261.el5 You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5 Detailed testing feedback is always welcomed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-1065.html