Regular user can not access NFS4 mounts (permission denied)
Kerberized NFS (any gss) requires Kerberos tickets. You'll have to use the much less secure sys security level if you want uses to be able to access NFS without tickets.
It would be better to have users acquire tickets when they log in. Ether by using sssd or pam_krb5 as part of you pam auth stack, or by credential delegation for ssh (i.e. GSSAPIAuthentication yes and GSSAPIDelegateCredentials).
Related videos on Youtube
01 : 51
03 : 25
19 : 21
02 : 37
02 : 28
Mike
Updated on September 18, 2022Comments
-
Mike almost 2 years
I have nfsserver and nfsclient machines.
On nfsserver:
# cat /etc/exports /export gss/krb5p(rw,sync,fsid=0,no_subtree_check,crossmnt) /export/home gss/krb5p(rw,sync,no_subtree_check)On nfsclient it mounts OK:
# mount -vvv -t nfs4 -o sec=krb5p nfsserver:/home /homex mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "nfsserver:/home" mount: node: "/homex" mount: types: "nfs4" mount: opts: "sec=krb5p" mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "nfsserver:/home" mount: external mount: argv[2] = "/homex" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5p" mount.nfs4: timeout set for Tue Apr 30 13:03:13 2013 mount.nfs4: trying text-based options 'sec=krb5p,addr=10.10.10.100,clientaddr=10.10.10.101' nfsserver:/home on /homex type nfs4 (rw,sec=krb5p)But I can only access this directory as root. Regular user gets:
$ ls /homex ls: cannot access /homex: Permission denied $ df /homex df: `/homex': Permission denied df: no file systems processedI turned on all NFS debugging on both sides (nfsserver,nfsclient) with
rpcdebugbut the only thing I see on the nfsclient during regular user trying to access mounted directory is:Apr 30 12:51:19 nfsclient kernel: [ 5896.339330] NFS: permission(0:13/917551), mask=0x24, res=-13 Apr 30 12:51:32 nfsclient kernel: [ 5909.182185] NFS: revalidating (0:13/917551) Apr 30 12:51:32 nfsclient kernel: [ 5909.189372] nfs_revalidate_inode: (0:13/917551) getattr failed, error=-13There is nothing on nfsserver side then (even no network traffic when sniffing with tcpdump).
File permissions seems to be OK:
# ls -ld /homex drwxr-xr-x 3 root root 4096 Apr 5 18:15 /homex # ls -l /homex total 4 drwxr-xr-x 6 mike mike 4096 Apr 29 13:48 mike # df /homex Filesystem 1K-blocks Used Available Use% Mounted on nfsserver:/home 20640384 1390208 18201600 8% /homexUser mike has the same UID on both machines.