| View previous topic :: View next topic |
| Author |
Message |
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
 Posted: Wed Sep 14, 2022 4:05 pm Post subject: NFS permission denied oddity |
 |
|
No problem mounting the share... but writing to it gives me "permission denied" errors.
On the server side:
| Code: | hydra ~ # exportfs -v
/export 10.4.12.0/23(sync,wdelay,hide,fsid=0,sec=krb5p:krb5i:krb5,rw,secure,no_root_squash,no_all_squash)
/export/repos 10.4.12.0/23(sync,wdelay,hide,no_subtree_check,sec=krb5i,rw,secure,no_root_squash,no_all_squash)
/export/distfiles
10.4.12.0/23(sync,wdelay,hide,no_subtree_check,sec=krb5i,rw,secure,root_squash,no_all_squash)
/export/binpkgs
10.4.12.0/23(sync,wdelay,hide,no_subtree_check,sec=krb5i,rw,secure,root_squash,no_all_squash) |
Client side: | Code: | root@incubus:~$ systemctl cat var-db-repos.mount
# /etc/systemd/system/var-db-repos.mount
[Unit]
Description=Portage Repositories
[Mount]
What=hydra.warfaresdl.com:repos
Where=/var/db/repos
Type=nfs4
Options=rw,sec=krb5i
root@incubus:~$ mount | grep repos
systemd-1 on /var/db/repos type autofs (rw,relatime,fd=38,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
hydra.warfaresdl.com:/repos on /var/db/repos type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5i,clientaddr=10.4.12.200,local_lock=none,addr=10.4.12.4)
root@incubus:~$ ls -la /var/db/repos/
total 110
drwxr-xr-x 11 root root 11 Sep 14 11:52 .
drwxr-xr-x 7 root root 8 Sep 14 11:40 ..
drwxr-xr-x 26 root root 31 Sep 12 21:24 cg
drwxr-xr-x 177 root root 182 Sep 14 00:00 gentoo
drwxr-xr-x 130 root root 137 Sep 12 21:24 guru
drwxr-xr-x 29 root root 29 Apr 29 16:11 local
drwxr-xr-x 7 root root 8 Sep 12 21:24 nordvpn
drwxr-xr-x 11 root root 14 Sep 12 21:04 plex-overlay
drwxr-xr-x 10 root root 13 Sep 12 21:24 steam-overlay
drwxr-xr-x 24 root root 28 Sep 12 21:24 vayerx
drwxr-xr-x 36 root root 39 Sep 12 21:24 zGentoo |
... but if I try to write there, as root, I get the following: | Code: | root@incubus:~$ touch /var/db/repos/test
touch: cannot touch '/var/db/repos/test': Permission denied |
Basically, I noticed this when attempting to set portage up to utilize NFS for my clients - it complains about not being able to write to the repo when I try to emerge anything (Apparently emerge now writes to the repo - it didn't many years ago when I did this before).
From what I can tell, idmapd is working properly - the client sees reasonable UID/GID pairings. The share in the exports file has no_root_squash enabled, and I've enabled it all the way up to the FSID root (and made the FSID root rw). What's causing this?
_________________
Life without passion is death in disguise |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Sep 14, 2022 4:24 pm Post subject: |
|
|
Have you created service principals for nfs and host both in server and client?
Plz run
| Code: |
kadmin.local listprincs | grep -E "host|nfs"
|
Plz use
to obtain a ticket before touching file.
Probably you need to creat principals for portage also.
| Code: |
kadmin.local ank -randkey portage
kadmin.local ktadd portage
|
You have to add root principal thus
| Code: |
kadmin.local ank root/admin
|
and have a file
/var/lib/krb5kdc/kadm5.acl file containing
| Code: |
*/admin@<YOUR-REALM> *
|
Also unmount all shares and "chmod 777" the mount points.
_________________
Last edited by alamahant on Wed Sep 14, 2022 5:18 pm; edited 4 times in total |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Wed Sep 14, 2022 4:31 pm Post subject: |
|
|
| alamahant wrote: | | Is your machine the kdc hosting machine? |
No
| alamahant wrote: | | Have you created service principals for nfs and host? |
Yes
| alamahant wrote: | Plz run
| Code: |
kadmin.local listprincs | grep -E "host|nfs"
|
|
... after ssh'ing into the kdc... | Code: | root@kerberos1:~ # kadmin.local listprincs | grep -E "host|nfs"
host/efreet.mydomain.com@MYDOMAIN.COM
host/gorgon.mydomain.com@MYDOMAIN.COM
nfs/gorgon.mydomain.com@MYDOMAIN.COM
host/graendal.mydomain.com@MYDOMAIN.COM
nfs/graendal.mydomain.com@MYDOMAIN.COM
host/mail1.mydomain.com@MYDOMAIN.COM
host/ldap1.mydomain.com@MYDOMAIN.COM
host/kerberos1.mydomain.com@MYDOMAIN.COM
host/incubus.mydomain.com@MYDOMAIN.COM
nfs/incubus.mydomain.com@MYDOMAIN.COM
host/hydra.mydomain.com@MYDOMAIN.COM
nfs/hydra.mydomain.com@MYDOMAIN.COM |
(domain/realm masked as above)
| alamahant wrote: | Plz use
to obtain a ticket before touching file. |
| Code: | root@incubus:~$ kinit
Password for rich@MYDOMAIN.COM:
root@incubus:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1500_ntbPbf
Default principal: rich@MYDOMAIN.COM
Valid starting Expires Service principal
09/14/2022 12:24:57 09/15/2022 04:24:57 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 09/15/2022 12:24:55
root@incubus:~$ touch /var/db/repos/test
touch: cannot touch '/var/db/repos/test': Permission denied |
... still no good
| alamahant wrote: | | Probably you need to creat principals for portage also. |
... actually... that may be what's going on... but not as stated. Nothing in the repos directory tree is owned by portage - it's all owned by root. Maybe with a "root" principal... but then that gets VERY messy/insecure. I kinda liked the idea of validating the integrity (krb5i under sec= options), but maybe that won't work...
_________________
Life without passion is death in disguise
Last edited by KShots on Wed Sep 14, 2022 4:43 pm; edited 1 time in total |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Sep 14, 2022 4:38 pm Post subject: |
|
|
Plz see my updated post above.
Also i worry about this
| Code: |
Password for rich@MYDOMAIN.COM:
|
it shouldnt be root instead?
In my case
| Code: |
kinit
Password for root@<REALM>:
|
_________________
Last edited by alamahant on Wed Sep 14, 2022 4:49 pm; edited 1 time in total |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Wed Sep 14, 2022 4:49 pm Post subject: |
|
|
| alamahant wrote: | Plz see my updated post above.
Alsi i worry about this
| Code: |
Password for rich@MYDOMAIN.COM:
|
it shouldnt be root instead? |
... at the moment, the root user has no principal defined. I'm beginning to think that if I defined one for root, this might work... but it's not really what I'm trying to do (and might have other security implications). I think NFS is doing what it's designed to do with kerberos, and that there's a basic flaw in my approach. I can either attempt again after creating a root principal, or back down from using kerberized NFS for this purpose. The latter probably makes more sense.
EDIT: Yep, turning off the krb5i security option allowed me to write there as expected. I could probably also have added a root principal, but then I would have to kinit the root principal every time I wanted to emerge something (rather than use my user's principal)
_________________
Life without passion is death in disguise
Last edited by KShots on Wed Sep 14, 2022 4:55 pm; edited 1 time in total |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Sep 14, 2022 4:51 pm Post subject: |
|
|
Before changing course plz add the root/admin and portage principals as i mentioned above and let me know if portage works.
I am really curious.......
But yes you dont need kerberized nfs for portage.
_________________
|
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Wed Sep 14, 2022 4:56 pm Post subject: |
|
|
| alamahant wrote: | Before changing course plz add the root/admin and portage principals as i mentioned above and let me know if portage works.
I am really curious.......
But yes you dont need kerberized nfs for portage.
|
... I'll do a quick test
EDIT: As I poke at this, it clearly won't work... kinit doesn't store more than one principal - you can either have a root/admin ticket, or a portage ticket... but not both (and you can't have your user ticket if you replace it with the root or portage ticket). The repo is all owned by root, and the distfiles are all owned by portage... it's kinda a non-starter for this kind of approach.
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Sep 14, 2022 5:12 pm Post subject: |
|
|
No no
portage principal i created with a key.
Just add the portage principal and the key as above and emerge something.
the root/admin was only to touch the file you wanted.
_________________
|
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Wed Sep 14, 2022 10:21 pm Post subject: |
|
|
| alamahant wrote: | No no
portage principal i created with a key.
Just add the portage principal and the key as above and emerge something.
the root/admin was only to touch the file you wanted. |
Hmm... I can see that working for one client... but any time you add a keytab entry, it gets a kvno associated with it, and that's unique to each client... and really doesn't work well for users - it's really for services. If I have multiple clients, one would have kvno 1, another would have kvno 2 (which would invalidate 1), and so on. Beyond that, it has to be root because the entire tree is owned by root with a 755 directory permission structure (644 for files)
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
