Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NFS: Kerberos (GSS) authenticated exports cannot be mounted by clients #569

Open
Aearsis opened this issue Jan 18, 2020 · 4 comments
Open

NFS: Kerberos (GSS) authenticated exports cannot be mounted by clients #569

Aearsis opened this issue Jan 18, 2020 · 4 comments

Comments

@Aearsis
Copy link

@Aearsis Aearsis commented Jan 18, 2020

Description of issue/question

Due to implicit sec=sys option on the NFSv4 root, kerberized exports do not have the root defined, and mounting such exports fails.

Steps to reproduce issue

Define NFS export with sec=krb5, configure kerberos properly. Even then mounting fails:

# mount nas:/Share /mnt/nas -o sec=krb5,vers=4.2 -vv
mount.nfs4: timeout set for Sat Jan 18 22:36:18 2020
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=1.2.3.4,clientaddr=5.6.7.8'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: Operation not permitted

This can be fixed simply by adding the sec=krb5 to the root export options.

@votdev

This comment has been minimized.

Copy link
Collaborator

@votdev votdev commented Jan 19, 2020

You can customize that by adding OMV_NFSD_V4_DEFAULT_EXPORT_OPTIONS="ro,fsid=0,root_squash,no_subtree_check,hide,sec=krb5p:krb5i:krb5:sys" to /etc/default/openmediavault and run

# omv-salt stage run prepare
# omv-salt deploy run nfs
@Aearsis

This comment has been minimized.

Copy link
Author

@Aearsis Aearsis commented Jan 19, 2020

Sure, I even tried it, but did not run the stage run prepare and it did not work. Also, I had to read the source code to know which variable to change, which is rather suboptimal :)

Couldn't the option be accessible from the web gui? There is plenty of space on the NFS settings tab.

@votdev

This comment has been minimized.

Copy link
Collaborator

@votdev votdev commented Jan 20, 2020

Couldn't the option be accessible from the web gui? There is plenty of space on the NFS settings tab.

No, OMV will not become something like Webmin where you can configure everything.

@Aearsis

This comment has been minimized.

Copy link
Author

@Aearsis Aearsis commented Jan 20, 2020

It just seems weird to me that you can directly specify options for exports, but not for the root.

In the beginning of setting up, I have added the option there manually, and made everything work. After a reboot, it took me quite long to realize what was overwritten to make it work again. I'm just trying to prevent others from making the same mistakes - if you think that current state is OK, just close this issue and PR, no problem on my side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.