Re: kerberized NFSv4 client reporting operation not permitted when mounting with sec=sys

Felix Rubio <felix@xxxxxxxxx> · Thu, 02 Jul 2020 15:41:16 +0200

Hi everybody

    I am resuscitating a call for help that I issued on February. Maybe 
somebody can give me a hand? On a NFSv4 server, with kerberos 
authentication enabled and working, I have generated a separated export 
that I want to export with only sys authentication. I am stuck exactly 
at the same point where I was :-/.

This is what I have done, so far:

[root@nfs-server etc]# exportfs -v
/export         
10.0.0.0/8(sync,wdelay,hide,crossmnt,no_subtree_check,fsid=0,sec=krb5:krb5i:krb5p,rw,secure,root_squash,no_all_squash)
/export/home    
10.0.0.0/8(sync,wdelay,hide,no_subtree_check,sec=krb5:krb5i:krb5p,rw,secure,root_squash,no_all_squash)
/export/smop    
10.0.0.0/8(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
/export/scratch 
10.0.0.0/8(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)

and I still get the same error on the client (here with nfs mount 
debugging enabled):
Jul 02 15:13:44 lfd8-Lx kernel: NFS: nfs mount 
opts='hard,sec=sys,vers=4.1,addr=10.0.2.9,clientaddr=10.1.0.33'
Jul 02 15:13:44 lfd8-Lx kernel: NFS:   parsing nfs mount option 'hard'
Jul 02 15:13:44 lfd8-Lx kernel: NFS:   parsing nfs mount option 
'sec=sys'
Jul 02 15:13:44 lfd8-Lx kernel: NFS: parsing sec=sys option
Jul 02 15:13:44 lfd8-Lx kernel: NFS:   parsing nfs mount option 
'vers=4.1'
Jul 02 15:13:44 lfd8-Lx kernel: NFS:   parsing nfs mount option 
'addr=10.0.2.9'
Jul 02 15:13:44 lfd8-Lx kernel: NFS:   parsing nfs mount option 
'clientaddr=10.1.0.33'
Jul 02 15:13:44 lfd8-Lx kernel: NFS: MNTPATH: '/smop'
Jul 02 15:13:44 lfd8-Lx kernel: --> nfs4_try_mount()
Jul 02 15:13:44 lfd8-Lx mount[30152]: mount.nfs4: Operation not 
permitted
Jul 02 15:13:44 lfd8-Lx kernel: <-- nfs4_try_mount() = -1 [error]

getting a trace on the server with 'tshark -i eth0 -p -w 
/tmp/nfs_mount.cap host 10.1.0.33 and port nfs' while running the mount, 
I get:
Running as user "root" and group "root". This could be dangerous.
  1 0.000000000    10.1.0.33 -> 10.0.2.9     NFS 246 V4 Call GETATTR FH: 
0x4bfbf778
  2 0.000097402     10.0.2.9 -> 10.1.0.33    NFS 246 V4 Reply (Call In 
1) GETATTR
  3 0.000790512    10.1.0.33 -> 10.0.2.9     TCP 54 956 > nfs [ACK] 
Seq=193 Ack=193 Win=4565 Len=0
  4 0.416074043    10.1.0.33 -> 10.0.2.9     NFS 206 V4 Call PUTROOTFH | 
GETATTR
  5 0.416209445     10.0.2.9 -> 10.1.0.33    NFS 146 V4 Reply (Call In 
4) PUTROOTFH Status: NFS4ERR_WRONGSEC
  6 0.416853354    10.1.0.33 -> 10.0.2.9     TCP 54 956 > nfs [ACK] 
Seq=345 Ack=285 Win=4565 Len=0

And when displaying the frame #4, I get that it is requesting the 'sys' 
authentication
    Credentials
        Flavor: AUTH_UNIX (1)
        Length: 36
        Stamp: 0x00419352
        Machine Name: lfd8-Lx
            length: 13
            contents: lfd8-Lx
            fill bytes: opaque data
but then, in frame #5, it returns NFS4ERR_WRONGSEC.

This is running a CentOS 7.6 (kernel 3.10.0-1127.13.1.el7.x86_64), just 
updated and rebooted. SElinux is not enforced.

---
Felix Rubio
"Don't believe what you're told. Double check."