Debian – Setting up a Mac Mountain Lion NFS client to securely access Debian NFS server

debiankerberosmac-osxnfs

Okay, I’m going just about insane here.

Trying to set up an OS X (10.8.2) NFS client to connect to Debian (6.0.6) nfs server. I’ve mostly been following instructions here: https://help.ubuntu.com/community/NFSv4Howto which are very thorough. However, two issues:

When I don’t use Kerberos, the performance sucks (I think something must be timing-out), and all the files are apparently owned by nobody:nobody. Doing an ls of the mounted directory takes tens of seconds.
When I do try to use Kerberos, with a principal created for the server and for the client, I cannot mount the share. The client complains: mount_nfs: can't mount /mnt from servername.domain onto /home: Permission denied

I’ve set up two principals, nfs/servername@REALM and nfs/clientname@REALM, and copied into /etc/krb5.keytab on client and server.

The server is (according to Kerberos logs) getting tickets for nfs/servername.REALM so my suspicion is that the OS X NFS client isn't using its principal somehow.

Any ideas?

Update: /var/log/daemon.log reports:

Oct  7 19:12:43 servername rpc.svcgssd[19635]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.  Minor code may provide more information - No supported encryption types (config file error?)

As per this page: http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5551 I’ve removed all but the DES encryption options in both client and server krb5.keytab files. And added allow_weak_crypto in the /etc/krb5.conf file. And restarted hfs-kernel-server and it still doesn’t work. Sigh.

Actually, now it reports:

Oct  7 19:26:55 servername rpc.svcgssd[19721]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.  Minor code may provide more information - Wrong principal in request

Does that “Wrong principal in request” mean that the client is passing the wrong krb5 principal? Can I control that in OS X?

Best Answer

NFSv4 seems to be fairly broken under Mac OS X 10.8.
The unofficial word is that Apple is aware of the issue but doesn't have a timeline for fixing it. Meanwhile, the consensus is that opendirectoryd is quite broken.

A few places that you might check for better debugging info:

# sysctl -w vfs.generic.nfs.client.idmap_ctrl=127
Watch the output of /var/log/system.log while your are trying to run the ls command.
# odutil set log debug
Watch the output of /var/log/opendirectoryd.log
Use dtrace to figure out where the hangup is.
Our experience has been that nfs4_id2guid is timing out because opendirectoryd isn't always registering itself properly with the kernel.

Related Solutions

Linux – squid authentication error kerberos – windows active directory

Make sure reverse DNS lookup is properly configured for your domain as explained here.

If you run dig -x [domain_controler_ip] and you don't see your domain name in the "ANSWER SECTION" you will get Unspecified GSS failure.

Client not found in kerberos database while getting initial

This command:

c:/> ktpass -princ HTTP/vmproxy.mydomain.com@MYDOMAIN.COM -mapuser squid@MYDOMAIN.COM -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

I believe sets HTTP/vmproxy.mydomain.com@MYDOMAIN.COM to be a service principal associated with the squid@MYDOMAIN.COM user in AD. Active Directory does not typically allow you to authenticate as a service principal (specifically, does not let it acquire a TGT via an AS_REQ); in theory, service principals are supposed to be for accepting user credentials, not for authenticating to your kerberos realm.

This is different from Unix KDCs, which typically do not distinguish between "service principals" and "user principals" by default, allowing either to authenticate via kinit. In Active Directory, instead the KDC pretends that the principal doesn't exist when you try to kinit as it, which tends to be rather confusing.

If you can successfully authenticate as any other user, I would try testing if the service principal is functional by instead running:

$ kinit some_other_user
$ kvno HTTP/vmproxy.mydomain.com@MYDOMAIN.COM

Which just acquires a service ticket for HTTP/vmproxy.mydomain.com@MYDOMAIN.COM. Or, you may be able to authenticate as squid@MYDOMAIN.COM instead of the service principal you set up.

If you need to be able to kinit as HTTP/vmproxy.mydomain.com@MYDOMAIN.COM directly, I think that is possible, but you need to change the userPrincipalName attribute on the relevant AD account. I can't remember at the moment how to achieve that, but if I recall correctly, you can only have one such UPN; you can't have multiple different principal names you can kinit as for the same account.

Best Answer

Related Solutions

Linux – squid authentication error kerberos – windows active directory

Client not found in kerberos database while getting initial

Related Topic