Unable to mount kerberized NFS4 share

    Hi,

    I am new to NFS4+Kerberos.


    I have a test-setup with FreeIPA-Server, OMV and Ubuntu-Client - all currently updated.


    After setting up FreeIPA I wanted to access nfs4-shares with "sec=krb5:krbti:krbtp".

    Commands executed to install freeipa-client:

    Code
    apt install freeipa-client oddjob-mkhomedir
ipa-client-install --hostname=`hostname -f` --mkhomedir --server=tomv.test.domain --domain test.domain --realm TEST.DOMAIN

    In /etc/default/nfs-kernel-server I added:

    Code
    NEED_SVCGSSD=yes


    Keytab with all services/hosts is stored on all devices.


    The client can't access the nfs-share from my openmediavault-Instance

    Code
    root@onas:~# cat /etc/exports
# This file is auto-generated by openmediavault (https://www.openmediavault.org)
# WARNING: Do not edit this file, your changes will get lost.

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
/export/testshare 10.0.56.0/24(fsid=ac9de436-a294-407a-b272-b517abe1d1a3,rw,subtree_check,insecure,sec=krb5:krb5i:krb5p)
/export 10.0.56.0/24(ro,fsid=0,root_squash,subtree_check)
    Code
    root@client01:~$ mount -vvvv -t nfs4 onas.test.domain:/testshare /nfs/
mount.nfs4: timeout set for Tue Jun 17 11:31:59 2025
mount.nfs4: trying text-based options 'vers=4.2,addr=10.0.56.78,clientaddr=10.0.56.87'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: Operation not permitted for onas.test.domain:/testshare on /nfs


    I can mount "/" but can't access the share.

    Code
    root@client01:~# mount -vvvv -t nfs4 onas.test.domain:/ /nfs/
mount.nfs4: timeout set for Tue Jun 17 11:49:09 2025
mount.nfs4: trying text-based options 'vers=4.2,addr=10.0.56.78,clientaddr=10.0.56.87'
root@client01:~# ls -la /nfs
ls: cannot access '/nfs/testshare': Operation not permitted
total 8
drwxr-xr-x  3 root root 4096 Jun 16 08:08 .
drwxr-xr-x 29 root root 4096 Jun 12 12:25 ..
??????????  ? ?    ?       ?            ? testshare


    I replicated the NFS-Server on a Debian 12 system with the same configuration. The NFS mounts as expected.


    Code
    root@dnas:~# cat /etc/exports
/export/testshare 10.0.56.0/24(rw,subtree_check,insecure,sec=krb5:krb5i:krb5p)
/export 10.0.56.0/24(ro,fsid=0,root_squash,subtree_check)
    Code
    root@client01:~$ mount -vvvv -t nfs4 dnas.test.domain:/testshare /nfs/
mount.nfs4: timeout set for Tue Jun 17 11:57:52 2025
mount.nfs4: trying text-based options 'vers=4.2,addr=10.0.56.66,clientaddr=10.0.56.87'


    I found no obvious errors and would appreciate any hint or help.

    I think I found the answer: https://github.com/openmediavault/openmediavault/issues/569

    I configured "OMV_NFSD_V4_DEFAULT_EXPORT_OPTIONS="ro,fsid=0,root_squash,no_subtree_check,hide,sec=krb5p:krb5i:krb5:sys" for the root-share.
    Now I can mount my share "testshare" and also access the share when the "/"-share is mounted.

    I don't get why it's not necessary on my Debian-Server but if it's supposed to be like that, this issue is solved. :)

  • alexm3s

    Added the Label resolved
    • New

    Hi, alexm3s
    It seems like the issue may be related to Kerberos authentication or NFS export settings. Ensure that the keytab is correctly configured on both the server and client, and check the permissions of the /export/testshare directory. Also, verify that the NFS server is properly registered with crazy chicken 3d FreeIPA and that the client has valid Kerberos tickets.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login