# NFSv3 and Kerberos - strange behavior

## lmnopram

I have been struggling with this for a few days now and would appreciate some feedback.

I have a seemingly functional Kerberos realm. I followed this guide: https://forums.gentoo.org/viewtopic-t-565180.html and SSH authentication between server and client is working.

I added the NFS server principal and key as:

```
addprinc -randkey nfs/server.example.com

ktadd nfs/server.example.com
```

from server kadmin.local

and client principal and key as:

```
addprinc -randkey root/client.example.com

ktadd root/client.example.com
```

from the client kadmin.

export:

```
/export 10.0.0.240/28(sec=krb5,ro)
```

mount:

```
mount -t nfs -o sec=krb5 server.example.com:/export /mnt/export
```

The above works to an extent. It mounts the share to the client but I am not able to read the share on any user ID.

If I modify the export as below:

```
/export gss/krb5(ro)
```

I get an error on the server side when trying to mount:

```
refused mount request from 10.0.0.236 for /export (/): not exported
```

After trial and error I added both lines to export:

```
/export 10.0.0.240/28(sec=krb5,ro)

/export gss/krb5(ro)
```

This worked as expected. I can read it as my standard user after kinit and if I kdestroy I lose the read permission.

However here is the interesting part. I have a laptop with no Kerberos components installed whatsoever and if I try to mount the server's shares from within the 10.0.0.240/28 network as:

```
mount -t nfs server.example.com:/export /mnt/export
```

Without even specifying the sec= option I can mount it without issue seemingly ignoring all security settings. If I try to replicate the mount setting of my laptop on my client box (i.e. without including the sec=krb5 mount option) I am not able to read the share as expected. I tried doing this on yet another box in the network too (also with no Kerberos components installed) and this box seemingly produces expected results - the same as my Kerberos client box. I am able to mount the share but not read it presumably because I don't have the security in place.

My conclusion is I have a magical laptop that is able to passively break security. There must be some difference between my laptop and the last machine I tested but I am new to Kerberos and I don't really know where I should be looking to troubleshoot this and what I should be posting to get additional help.

All machines are running Gentoo. Kerberos NFS server runs xen-sources 2.6.32-r1, the Kerberos client runs 2.6.33-r2 and the laptop runs 2.6.31-r10.

----------

## scouter389

I would recommend comparing the NFS client settings between the kerberos client kernel and the laptop kernel. this sounds like the system is not reading the kerberos permissions correctly.

----------

## lmnopram

I appreciate the input. It seems I have solved the problem for now. I'll have to use it for a while to see if I run into further issues.

The problem was indeed the kernel although not in the way I had first thought. Tweaking the laptop kernel and the client kernel had seemingly no effect on the permission behavior. What I think made it work was one or both of two things: I removed NFS client support and added NFSv4 server support to the NFS server. I'm guessing the NFSv4 is what made the difference even though I am using NFSv3.

As a side effect I now export as just

```
/export 10.0.0.240/28(sec=krb5,ro)
```

and I no longer need the redundant entry:

```
/export gss/krb5(ro)
```

which is to be expected.

----------

## scouter389

Glad I got you to the right area to fix the problem. let me know if there is anything else I can help fix.

----------

