On Mon, Nov 16, 2015 at 9:22 AM, Simo Sorce <simo(a)redhat.com> wrote:
Patches were release with 0.4.0.
I rebuilt gssproxy-0.4.1-2.fc23.src.rpm for RHEL7 and installed it on
the NFS server, and indeed, I can perform NFS v4.0 mounts against the
server now. So it would seem that we are indeed being hit by
BZ#1213852.
Thanks much for pointing us in this direction; it's very unlikely we
would've figured this out on our own!
Btw if you are a RH customer open a case and we can help you with an
hotfix until the packages is released for general availability (real
soon now anyway I think).
Yes, we are a RH customer, and we will pile on. :-)
Two other quick questions, if you have anything to add:
1. Although mounting with nfsvers=4.0 works fine, when I attempt to
mount with nfsvers=4.1 or nfsvers=4.2 (if I explicitly enable it), the
server returns NFS4ERR_WRONG_CRED in response to the CREATE_SESSION
request. (gssproxy doesn't log anything different.)
Red Hat claims to support NFSv4.1 clients and servers on RHEL7. Do
you know if NFS 4.1/4.2 support is also a known issue with sec=krb5
with Microsoft AD, or is this an issue you haven't heard about?
We really want to use NFS 4.1 instead of 4.0, because otherwise we
have to change many firewall rules to permit callbacks from the server
to the clients. (NFS 4.2 would be even better, because that would get
us SELinux file context support.)
2. On the NFS client, is there a way to tell gssproxy to use the
$KRB5CCNAME credentials if I sudo to root, instead of using the
client's host credentials from /etc/krb5.keytab? Because otherwise,
users who sudo to root will lose all access to their NFS-mounted home
directories (unless they temporarily give the client's host
credentials access to their home directories before they sudo).
Thanks,
James