No NFS mount when I start kernel 5.11

Linux Clients
1

Hi@all,

I have Ubuntu 20.04 clients here. I have integrated them into the UCS domain using ADS-Join. The clients get their home directory from the UCS master. Mounting works with a started kernel 5.4.

root@pc002:~# showmount -e srv01.gehr.local
Export list for srv01.gehr.local:
/home gss/krb5i

root@pc002:~# mount |grep /home
srv01.gehr.local:/home/g.kopf on /home/g.kopf type nfs4 (rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5i,clientaddr=192.168.24.93,fsc,local_lock=none,addr=192.168.24.5,_netdev)

If I now start on the same machine with kernel 5.11, I cannot mount the home directory via NFS.

root@pc002:~# mount -vvvv -t nfs4 -o sec=krb5 srv01.gehr.local:/home /home
mount.nfs4: timeout set for Wed Jul 14 14:03:43 2021
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.168.24.5,clientaddr=192.168.24.93'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting srv01.gehr.local:/home

Does anyone have an idea what the problem could be?

with best
sven

2

I think I have a first clue. It seems to be the Kerberos ticket. Start:

  • Same machine
  • Same user

and display the Kerberos tickets, they are different. Depending on whether I start Kernel 5.4 or 5.11

++ Kernel 5.4 ++

g.kopf@pc002:~$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1049601150_k9TQia
Standard-Principal: g.kopf@GEHR.LOCAL

Valid starting       Expires              Service principal
14.07.2021 14:34:07  15.07.2021 00:34:07  krbtgt/GEHR.LOCAL@GEHR.LOCAL
	erneuern bis 15.07.2021 14:34:07
14.07.2021 14:34:09  15.07.2021 00:34:07  nfs/srv01.gehr.local@
	erneuern bis 15.07.2021 14:34:07
14.07.2021 14:34:09  15.07.2021 00:34:07  nfs/srv01.gehr.local@GEHR.LOCAL
	erneuern bis 15.07.2021 14:34:07


++ Kernel 5.11 ++

g.kopf@pc002:~$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1049601150_IfoJUm
Standard-Principal: g.kopf@GEHR.LOCAL

Valid starting       Expires              Service principal
14.07.2021 14:36:21  15.07.2021 00:36:21  krbtgt/GEHR.LOCAL@GEHR.LOCAL
	erneuern bis 15.07.2021 14:36:21
3

I had the same issue with kernel 5.8-hwe-edge. Now with 5.8-hwe it’s working fine. I hope the issue will be resolved with 5.11-hwe too.

4

I found the following:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979764

5

@pixel Do you have found a solution with kernel 5.11?

6

By the way, there is a aes256-cts-hmac-sha1-96 key for the NFS SPN.

7

unfortunately no. I gave up after a few hours :frowning:

8

Works again with 5.13 kernel (hwe-edge).

EDIT: Or not. But it works in a pure samba AD domain. Maybe we have to update the nfs service pricipal user / server keytab.

9

I have also tested it with 5.13 (with system on which it works with 5.8) and it does not work.

I have not tried updating the nfs service pricipal user / server keytab. I would first have to see how to do that. The installation/setup was already a while ago.

10

I have continued to try to solve the problem or have solved it. Now I have to see how I solved it.

I have installed a completely new UCS5 environment in KVM as a test site and tried various solutions from the internet. Now an NFSv4 with Kerbereos (/home) is running on the UCS5 that I can mount from clients with kernel >= 5.10 with “Kerb5i” without any problems.

I have tested this with “KDE Neon - User” and Ubuntu 22.04 (Beta). Both use kernel 5.13.

Now I have to see what I did differently to make it work. I will let you know.

2 Likes
11

Here is a possible solution:

Can it be harmful to set these attributes?

msDS-NcType: 0
serverState: 1
1 Like
12

The problem has taken care of itself. I don’t know exactly with which kernel version, I think since 5.15, it works without problems. Currently I use 6.1

13

The upgrade to UCS 5 fixed the issue for me :slight_smile: