Strange NFS Problem After Using Kerberos Plugin

    • OMV 2.x
    • Strange NFS Problem After Using Kerberos Plugin

      OMV 2.1.20
      I was messing around with the Kerberos plugin to see if it was better than my manual configuration. I couldn't get it to work, which is beside the point of this thread, but I ended up uninstalling it. Now when I try to configure NFS shares, some weird "krb" text is being inserted into the NFSv4 section and breaking NFS (nfs-kernel-server fails to start).

      Here is how my exports file looks when configuring through the interface:

      Source Code

      1. root@***:/etc# cat exports
      2. # /etc/exports: the access control list for filesystems which may be exported
      3. # to NFS clients. See exports(5).
      4. /export/ISO 10.10.10.0/24(rw,subtree_check,secure)
      5. /export/VM 10.10.10.0/24(rw,subtree_check,secure)
      6. # NFSv4 - pseudo filesystem root
      7. /export 10.10.10.0/24(,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5)


      If I change it to the following, everything works as expected, but any further changes through the interface break it:

      Source Code

      1. root@***:/etc# cat exports
      2. # /etc/exports: the access control list for filesystems which may be exported
      3. # to NFS clients. See exports(5).
      4. /export/ISO 10.10.10.0/24(rw,subtree_check,secure)
      5. /export/VM 10.10.10.0/24(rw,subtree_check,secure)
      6. # NFSv4 - pseudo filesystem root
      7. /export 10.10.10.0/24(rw,fsid=0,subtree_check,secure)


      Any help is appreciated!
    • subzero79 wrote:

      I have no idea how the plugin configures the root of export (nfs4) but my guess it uses environment variables. Can you post here

      cat /etc/default/openmediavault


      That's definitely it, here is the relevant line from that file:

      Source Code

      1. ​OMV_NFSD_V4_DEFAULT_EXPORT_OPTIONS=",sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5,sec=krb5p:krb5i:krb5"


      So my question now is what should that be and how in the world did it end up messed up?
    • subzero79 wrote:

      Just delete that line. Restart engined
      service openmediavault-engined restart

      Make a change in nfs and check the exports

      cc <a href="http://forums.openmediavault.org/index.php/User/6136-ikogan/">@ikogan</a> to tweak the postrm file to bring back to default nfs after purging the plugin.

      That fixed it, thank you!! The OMV_NFSD_V4_DEFAULT_EXPORT_OPTIONS parameter wasn't added back to the default file, is that ok?
    • ikogan wrote:

      Hey there, sorry for the lack of reply, I was on vacation. <a href="http://forums.openmediavault.org/index.php/User/7905-grokdesigns/">@grokdesigns</a>, what about the plugin didn't work for you besides breaking NFS? I notice that it added the Kerberos options to NFS more than once, that's a bug that I haven't seen. What else didn't…

      @ikogan, honestly I probably just didn't know what to put where in the plugin settings. I use Kerberos to connect to a Windows Domain Controller and I got it set up just fine manually, but I wasn't able to get it working properly with the plugin.
    • I did find the bug where it was inserting multiple NFS options which I'm working on fixing. I'd love to help you get it working with the plugin if you'd like. Perhaps it's not configuring things right. Here's how my krb5.conf is setup from the plugin if that's where the problem is:

      Source Code

      1. ​[libdefaults]
      2. default_realm = GAEA.MYTHICNET.ORG
      3. [realms]
      4. MY.DOMAIN.COM = {
      5. kdc = 10.1.1.14
      6. admin_server = 10.1.1.14
      7. default_domain = MY.DOMAIN.COM
      8. }
      9. [domain_realm]
      10. my.domain.com = MY.DOMAIN.COM
      Display All
    • ikogan wrote:

      I did find the bug where it was inserting multiple NFS options which I'm working on fixing. I'd love to help you get it working with the plugin if you'd like. Perhaps it's not configuring things right. Here's how my krb5.conf is setup from the plugin if…


      I'd love to get it working with the plugin, I will give it a shot as soon as I have some time to mess with it. One thing I didn't see how to do with the plugin was add multiple KDCs, but otherwise your config looks similar to my manually configured one:

      Source Code

      1. [libdefaults]
      2. default_realm = AD.DOMAIN.COM
      3. dns_lookup_realm = false
      4. dns_lookup_kdc = false
      5. ticket_lifetime = 24h
      6. renew_lifetime = 7d
      7. forwardable = true
      8. [realms]
      9. AD.DOMAIN.COM = {
      10. kdc = dc1.ad.domain.com
      11. kdc = dc2.ad.domain.com
      12. admin_server = dc1.ad.domain.com
      13. }
      14. [domain_realm]
      15. .ad.domain.com = AD.DOMAIN.COM
      16. ad.domain.com = AD.DOMAIN.COM
      Display All