Regular user can not access NFS4 mounts (permission denied)

Question

I have nfsserver and nfsclient machines.

On nfsserver:

# cat /etc/exports
/export        gss/krb5p(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/home   gss/krb5p(rw,sync,no_subtree_check)

On nfsclient it mounts OK:

# mount -vvv -t nfs4 -o sec=krb5p nfsserver:/home /homex
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "nfsserver:/home"
mount: node:  "/homex"
mount: types: "nfs4"
mount: opts:  "sec=krb5p"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfsserver:/home"
mount: external mount: argv[2] = "/homex"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5p"
mount.nfs4: timeout set for Tue Apr 30 13:03:13 2013
mount.nfs4: trying text-based options 'sec=krb5p,addr=10.10.10.100,clientaddr=10.10.10.101'
nfsserver:/home on /homex type nfs4 (rw,sec=krb5p)

But I can only access this directory as root. Regular user gets:

$ ls /homex
ls: cannot access /homex: Permission denied

$ df /homex
df: `/homex': Permission denied
df: no file systems processed

I turned on all NFS debugging on both sides (nfsserver,nfsclient) with rpcdebug but the only thing I see on the nfsclient during regular user trying to access mounted directory is:

Apr 30 12:51:19 nfsclient kernel: [ 5896.339330] NFS: permission(0:13/917551), mask=0x24, res=-13

Apr 30 12:51:32 nfsclient kernel: [ 5909.182185] NFS: revalidating (0:13/917551)
Apr 30 12:51:32 nfsclient kernel: [ 5909.189372] nfs_revalidate_inode: (0:13/917551) getattr failed, error=-13

There is nothing on nfsserver side then (even no network traffic when sniffing with tcpdump).

File permissions seems to be OK:

# ls -ld /homex
drwxr-xr-x 3 root root 4096 Apr  5 18:15 /homex

# ls -l /homex
total 4
drwxr-xr-x 6 mike mike 4096 Apr 29 13:48 mike


# df /homex
Filesystem           1K-blocks      Used Available Use% Mounted on
nfsserver:/home
                  20640384   1390208  18201600   8% /homex

User mike has the same UID on both machines.

score 2 · Answer 1 · answered Dec 06 '14 at 00:42

Kerberized NFS (any gss) requires Kerberos tickets. You'll have to use the much less secure sys security level if you want uses to be able to access NFS without tickets.

It would be better to have users acquire tickets when they log in. Ether by using sssd or pam_krb5 as part of you pam auth stack, or by credential delegation for ssh (i.e. GSSAPIAuthentication yes and GSSAPIDelegateCredentials).

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

So the user can access NFS mount after acquiring Kerberos ticket with kinit.

But how to let the user access NFS mount without a ticket?

edited Apr 13 '17 at 12:14

Community

1

answered Apr 30 '13 at 12:10

Mike

598
7
16

Regular user can not access NFS4 mounts (permission denied)

2 Answers2

Linked