How to pass -n flag to rpc.gssd?

Dear openSUSE community,

In my institution we will be required to mount our remote filesystem using secure NFS (v4), by authenticating using Kerberos (krb5), without being assigned a keytab file.
I.e. this means that root needs to acquire a ticket by means of kinit, the mount the NFS share, and then the user needs to authenticate with kinit to access the share locally.
Because no keytab file exists one needs to run the rpc.gssd daemon with the "
-n
" flag.

Under Debian this would be possible by adding the option
** RPCGSSDOPTS="-n"**
in the file /etc/default/nfs-common
However, I have not found the equivalent of this in openSUSE’s configuration file located at
/etc/sysconfig/nfs

Instead, the only possibility I saw was by modifying the file(s)
** /etc/init.d/nfs**
and perhaps
/usr/sbin/rcnfs
directly, by adding the -n flag by changing all instances of
** startproc $GSSD_BIN**
in those files, to
** startproc $GSSD_BIN -n**
(or by adding some script code to accept a new flag),
and this works!

But of course, this method is not very desirable (I suspect changed will be reverted when the nfs client packages are updated) - or user friendly for that matter!

**Q: **Is there another way to do this properly?

Best regards,

A happy openSUSE 12.1 camper


For completeness I have added the various step to reproduce my sitation, and the corresponding error messages below:

Step 1: Set up NFS configuration file

  • Change the follow two options in /etc/sysconfig/nfs to “yes”: **NFS_SECURITY_GSS and **NFS_START_SERVICES ->
    NFS_SECURITY_GSS="yes"
    NFS_START_SERVICES="yes"

Step 2: Obtain an kerberos ticket by means of kinit -p username as root ->
# kinit -p XYZ123

Step 3: Try to mount the NFS share
# mount -vvv -t nfs -o sec=krb5,proto=tcp,vers=4 servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123
This will fail with the message:
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123

And in /var/log/warn you will see:
computername rpc.gssd[8820]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host servername.domain.local
computername rpc.gssd[8820]: ERROR: No credentials found for connection to server servername.domain.local

Now this is without the -n flag, to verify this I run:

ps ax | grep gssd

8820 ? Ss 0:00 /usr/sbin/rpc.gssd
Now if I kill rpc.gssd and restart using:

pkill rpc.gssd

/usr/sbin/rpc.gssd -n

and verify:

ps ax | grep gssd

8907 ? Ss 0:00 /usr/sbin/rpc.gssd -n
Then the mount command
**# mount -vvv -t nfs -o sec=krb5,proto=tcp,vers=4 servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123
**works!

A real comprhensive story, and I hope someonw may be ableo help you.

Would you be so kind next time to use CODE tags to seperate between your story and computer statements/output? Much mor effective then the bold, not bold (where I do not see when you use bold and when not). http://forums.opensuse.org/english/information-new-users/advanced-how-faq-read-only/451526-posting-code-tags-guide.html

In the file “/etc/sysconfig/nfs” I can see this seciont on 11.4 :

## Path:                Network/File systems/NFS server## Description:         GSS security for NFS
## Type:                yesno
## Default:             yes
## ServiceRestart:      nfs nfsserver
#
# Enable RPCSEC_GSS security for NFS (yes/no)
#
NFS_SECURITY_GSS="no"

Did you try changing this to yes ? I’ve got no idea if it’s the same setting but it shouldn’t hurt to try :slight_smile:

Since I recently filed a new bug report on a matter related to this, let me get back to this question.

First of all, in reply to the previous post: no, changing

NFS_SECURITY_GSS="no"

to

NFS_SECURITY_GSS="yes"

does not start the rpc.gssd process with the “-n” flag.
As far as I can tell at the moment there is no officially supported way in openSUSE to pass the “-n” flag to the rpc.gssd executable via a config file (but I could be wrong). Which means that you either have to start the executable manually, or change the config files by hand the way that I have described in my first post (and risk them being overridden when the nfs-client package is updated).
This might actually be a bug worth filing, and I probably will once I can verify I am not overlooking something and somehow it is possible.

As you can read in the rpc.gssd manual here the “-n” flag is needed for the following:

-n
By default, rpc.gssd treats accesses by the user with UID 0 specially, and uses “machine credentials” for all accesses by that user which require Kerberos authentication. With the -n option, “machine credentials” will not be used for accesses by UID 0. Instead, credentials must be obtained manually like all other users. Use of this option means that “root” must manually obtain Kerberos credentials before attempting to mount an nfs filesystem requiring Kerberos authentication.

Personally I would expect a flag for this to be adjustable in /etc/sysconfig/nfs (the equivalent of /etc/default/nfs-common in Ubuntu/Debian where the RPCGSSDOPTS=“-n” option can be set). But these are all the flags I find there:

# cat /etc/sysconfig/nfs | grep =

USE_KERNEL_NFSD_NUMBER="4"
MOUNTD_PORT=""
NFS_SECURITY_GSS="yes"
NFS3_SERVER_SUPPORT="yes"
NFS4_SUPPORT="yes"
SM_NOTIFY_OPTIONS=""
NFS_START_SERVICES="yes"
STATD_OPTIONS=""
NFSV4LEASETIME=""
RPC_PIPEFS_DIR=""
SVCGSSD_OPTIONS=""
NFSD_OPTIONS=""

Now, getting back to the bug report I mentioned, in openSUSE 12.3, because it uses a post 3.7 kernel version there is a bug related to rpc.gssd in that even when you start rpc.gssd with the -n flag mounting an NFSv4 mount via personal Kerberos credentials is no longer possible. The bug is explained in bugzilla under Bug 817651 - Kernel 3.7 and newer breaks rpc.gssd -n and thus update of nfs-client package for openSUSE 12.3 needed. It seems a fix for this is already available and hopefully the openSUSE maintainers will soon integrate this fix in the nfs-client package. Then all that remains is to allow for the “-n” flag to be passed on to the rpc.gssd deamon in a officially supported / persistent manner.

Getting back to this again. As it turns out there indeed was no way to properly set the -n flag for the rpc.gssddeamon, but there is now!

Well, there is an (unverified) patch out and available from here:
https://bugzilla.novell.com/show_bug.cgi?id=817651#c10

This adds a GSSD_OPTIONS setting to /etc/sysconfig/nfs to make it easier to set the -n flag (and a new -N flag). Happy Mounting

Getting back to this once more …

In the first post I suggested that passing the -n flag to rpc.gssd in Ubuntu could be done by setting the variable

**RPCGSSDOPTS="-n"**

in the file /etc/default/nfs-common
but this is not correct, as explained in this bug report: gssd ignores RPCGSSDOPTS in /etc/default/nfs-common
**
The correct way of doing it is by overriding the exec call to rpc.gssd used by the NFS daemon, which can be instated like this:
** echo ‘exec rpc.gssd -n’ > /etc/init/gssd.override

(sorry, CODE tags not working here)
as is (now) also explained in the relevant HOWTO found here:
https://help.ubuntu.com/community/NFSv4Howto