On 17/11/15 15:28, James Ralston wrote:
On Mon, Nov 16, 2015 at 9:22 AM, Simo Sorce <simo(a)redhat.com>
> Patches were release with 0.4.0.
I rebuilt gssproxy-0.4.1-2.fc23.src.rpm for RHEL7 and installed it on
the NFS server, and indeed, I can perform NFS v4.0 mounts against the
server now. So it would seem that we are indeed being hit by
Thanks much for pointing us in this direction; it's very unlikely we
would've figured this out on our own!
> Btw if you are a RH customer open a case and we can help you with an
> hotfix until the packages is released for general availability (real
> soon now anyway I think).
Yes, we are a RH customer, and we will pile on. :-)
Two other quick questions, if you have anything to add:
1. Although mounting with nfsvers=4.0 works fine, when I attempt to
mount with nfsvers=4.1 or nfsvers=4.2 (if I explicitly enable it), the
server returns NFS4ERR_WRONG_CRED in response to the CREATE_SESSION
request. (gssproxy doesn't log anything different.)
Red Hat claims to support NFSv4.1 clients and servers on RHEL7. Do
you know if NFS 4.1/4.2 support is also a known issue with sec=krb5
with Microsoft AD, or is this an issue you haven't heard about?
I am not aware of any difference in the kernel or userspace code when it
comes to rpcgss handling, please open a case/bugzilla, if you are seeing
something beyond BZ#1213852.
We really want to use NFS 4.1 instead of 4.0, because otherwise we
have to change many firewall rules to permit callbacks from the server
to the clients. (NFS 4.2 would be even better, because that would get
us SELinux file context support.)
Yeah I share your preference :)
2. On the NFS client, is there a way to tell gssproxy to use the
$KRB5CCNAME credentials if I sudo to root, instead of using the
client's host credentials from /etc/krb5.keytab? Because otherwise,
users who sudo to root will lose all access to their NFS-mounted home
directories (unless they temporarily give the client's host
credentials access to their home directories before they sudo).
I think what you want is achieved with the rpc.gssd -n argument (see
rpc.gssd manpage), you can set arguments in /etc/sysconfig/nfs and then
restart nfs-config.service and nfs-secure.service
Simo Sorce * Red Hat, Inc * New York