Join Log in
Score:0
Troy Telford avatar Ubuntu

impish kerberized nfs: an incorrect mount option was specified

us flag
Troy Telford

I have a working kerberized NFS server. It works fine with MacOS, Debian (Sid), and Raspbian. It doesn't work with Impish Indri, and I can't figure out why.

  • GSSAPI Logins with SSH work fine with Impish
  • I have the nfs/ key, and it's not using the deprecated ciphers:
sudo klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------------------------------------
   4 nfs/[email protected] (aes256-cts-hmac-sha1-96) 
   4 nfs/[email protected] (aes128-cts-hmac-sha1-96) 
   4 host/[email protected] (aes256-cts-hmac-sha1-96) 
   4 host/[email protected] (aes128-cts-hmac-sha1-96)

/srv/video *(rw,async,mp,root_squash,no_subtree_check,insecure,sec=krb5p)

And as I said - on any OS I've tried except impish, mounts work.

On impish, however, I always get:

mount -t nfs4 -o rw,soft,sec=krb5p server.foo.net:/srv/video /mnt
mount.nfs4: an incorrect mount option was specified

I cranked up the logging via the RPCGSSDOPTS="-vvvrr" on the client, and its friend RPCSVCGSSDOPTS="-vvvrr" on the server.

If any other host tries to mount via NFS -- rpc.svcgssd has the usual output on the server:

Jan 13 08:44:33 server rpc.svcgssd[1681508]: leaving poll
Jan 13 08:44:33 server rpc.svcgssd[1681508]: handling null request
Jan 13 08:44:33 server rpc.svcgssd[1681508]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 6 enctypes from the kernel
Jan 13 08:44:33 server rpc.svcgssd[1681508]: sname = [email protected]
Jan 13 08:44:33 server rpc.svcgssd[1681508]: doing downcall
Jan 13 08:44:33 server rpc.svcgssd[1681508]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1642124615 (35942 from now), clnt: <null>, uid: 1000, gid: 1000, num aux grps: 21:
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   1) 1000
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   2) 27
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   3) 100
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   4) 123
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   5) 30
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   6) 1005
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   7) 4
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   8) 20
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (   9) 24
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  10) 29
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  11) 34
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  12) 40
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  13) 44
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  14) 46
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  15) 102
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  16) 116
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  17) 1006
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  18) 111
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  19) 151
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  20) 157
Jan 13 08:44:33 server rpc.svcgssd[1681508]:   (  21) 1011
Jan 13 08:44:33 server rpc.svcgssd[1681508]: sending null reply
Jan 13 08:44:33 server rpc.svcgssd[1681508]: writing message:  <String of hext data>
Jan 13 08:44:33 server rpc.svcgssd[1681508]: finished handling null request
Jan 13 08:44:33 server rpc.svcgssd[1681508]: entering poll

, and rpc.gssd has the expected output on the client

handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt25)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: krb5_use_machine_creds: uid 0 tgtname (null)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: Full hostname for 'server.foo.net' is 'server.foo.net'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: Full hostname for 'tock.foo.net' is 'tock.foo.net'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: Success getting keytab entry for 'nfs/[email protected]'
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_FOO.NET' are good until 1642095679
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_FOO.NET' are good until 1642095679
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: creating tcp client for server server.foo.net
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: DEBUG: port already set to 2049
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: creating context with server [email protected]
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_create_default()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_create()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_refresh()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: The token being sent (length 673):
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_marshal()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_buf: encode success ((nil):0)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_wrap()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_buf: encode success (0x7620c680:673)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_init_args: encode success (token 0x7620c680:673)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_validate()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_unwrap()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_buf: decode success (0x7620ea50:4)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_buf: decode success (0x762047a8:156)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: xdr_rpc_gss_init_res decode success (ctx 0x7620ea50:4, maj 0, min 0, win 128, token 0x762047a8:156)
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: The token we just received (length 156):
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_get_private_data()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: doing downcall: lifetime_rec=7007 [email protected]
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_free_private_data()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_destroy()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]: in authgss_destroy_context()
Jan 13 08:44:32 tock.foo.net rpc.gssd[5440]:

-- and it works on MacOS, Debian (Sid), Raspbian, etc.

However, when I try to use impish -- nothing hits the server (no logs for rpc.svcgssd, and rpc.gssd doesn't show any activity on the client. I'd love to show what is happening, but impish is not providing any data except an incorrect mount option was specified whenever sec=krb5p is supplied.

I don't get it. Is kerberized NFS broken in impish?

60
0 + 0
nfs
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.