Received: by 2002:ab2:3b09:0:b0:1ed:14ea:9113 with SMTP id b9csp225147lqc;
        Thu, 29 Feb 2024 15:52:39 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCVLDfwz+w47vkO9Tf+8KzE8xs5uymf6C9DZVg74a8WJEmi06Yz+2doNfdy9MoS4pWS81zMvDbIOkRxt28dLDmfrCMeU/XThu2xyPGseZw==
X-Google-Smtp-Source: AGHT+IEp4lHZ1sL0hK3V68DBlNAdKI08S4W59W0ST3Yv8REOcDT90w7t/0c/1K/kQBd8Pv3GyHZc
X-Received: by 2002:a05:620a:459e:b0:787:fb8b:c903 with SMTP id bp30-20020a05620a459e00b00787fb8bc903mr84441qkb.56.1709250759583;
        Thu, 29 Feb 2024 15:52:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709250759; cv=pass;
        d=google.com; s=arc-20160816;
        b=Ld3kNx83uvEdE7+P4e723hKdSynQ0jPShZM6hb4tKA1n1/UeySg5+fnkPt4jtJYfdh
         eApYBEYJRKj9OE9TkFh9ncXKnRF+j5dzV4YxvwQKy/ImDkVV0tVHwKqU4mNl9NdWgbpK
         DtMC8qctS6UwxpsCwQVL8yP5FNqRhaS8oj7U7LoLh72+AnH17IQJRj2hqRYFto5y6KVt
         PbhfYwnCf0dycq4Fq7Q9ZVWu3SfTogPM0+RAgx1bA57bxu7nE4DBNoWRB0OoY1UnwfNp
         1OWoFVuSHU3J+LdlYU8Dpd8nYOo11krVdGQJuSyGTzD2OOME8pc3YAjJLtaljh3mLbJu
         kVIA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=GDOFyXSyknH2+UPcIbKs/Jsp6Z3XVSjQaEt87q9gM8E=;
        fh=KzwvDxcym/l79hKWjzfSPicKEXCAAKjx43J1Pr04SvM=;
        b=sSdDOakSNb2V9KHwJnqt0b/xt4hbnRcPfbFsubREC4rUnwM45+ogQYvhXFNjMmOgg+
         n/KgqlZSO9Wb4pW6Ffl+88XqPSfj6y9F8FQckEedkjbaaWLskVCYZBWQaeLzXWz34xpv
         5cV9kbMvYjPIiXYaSkZ+/BwdebpmUv0foZcU+7UqsyelecKm9oriY+/p9i1B/y6bsV71
         eGQ/EFsRg0pBmgouzSjbfaFfz4FkO3P/50xHveciWyaIdv/eGL4Y0o1Vj3uzgK0NvNfi
         5L6BbTeZm3yHrDBF2RJqaOyyZH/eZ//3o5yi0s5FrounTbLFQjFB27w7oq2JkCgy/aeb
         5rnA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LDoRExXk;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id g19-20020a05620a13d300b00787cb27f640si2468969qkl.58.2024.02.29.15.52.39
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Feb 2024 15:52:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LDoRExXk;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-2128-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 42DA81C214A0
	for <linux.lists.archive@gmail.com>; Thu, 29 Feb 2024 23:52:39 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 00C9813E7C4;
	Thu, 29 Feb 2024 23:52:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LDoRExXk"
X-Original-To: linux-nfs@vger.kernel.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D896744374
	for <linux-nfs@vger.kernel.org>; Thu, 29 Feb 2024 23:52:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709250749; cv=none; b=J6y4DfDNudQyk+0nn0D6zZD8O2wm4F9Zy1+3ab8A+kV7J8D5vUOJgn2Mcx1TpiEJwnFJhP5FpHGzNdP8I/LXycNflnNqt9JMpn+ejl3PmcbW+wrn/ddn31BX9lm3yuRCbN6D+3ScYXEXQ1mtjCWFyCZkRCUv84sClG+dFjOuITE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709250749; c=relaxed/simple;
	bh=JH3x5AlqazxA7s9HV1/FHp0BaHbZ8OdRMdkbzJO2hls=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=pKNAiKb67pZr/zwGpei3DuNfn3l5pG5hTxAw1ZIyQInyTfv/L9OuqwIJLsVXlgvwvgQwX9LRoDrMj2kCDMylh+euJd7/wJc5vkI9f/bEeTHI2cdHYY0Ej+92c5uj2UjoVZVHt5IJwFJadjCXJTo4FCiNx9WIym0APkWr9ZtbcH8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LDoRExXk; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1709250746;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=GDOFyXSyknH2+UPcIbKs/Jsp6Z3XVSjQaEt87q9gM8E=;
	b=LDoRExXkvOMBGpqmRnc+vAE9q5/Wd9nd7g4RsxedvnYAv14qHZcQrWB0yIhw7ct9HDvmFj
	OTqhFMzk5e2cg0HjzKw5ia6fb0Y/SfJ4oHp/Wt/u9372F4U4oDKZiwsIy0kPSHaj2JkTk3
	QGTOL1KFLGERjW/SrS2VntK66pdlcqA=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-56-xkFyZPgHPSadc6b07FCWJw-1; Thu, 29 Feb 2024 18:52:23 -0500
X-MC-Unique: xkFyZPgHPSadc6b07FCWJw-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E4BCE88D586;
	Thu, 29 Feb 2024 23:52:22 +0000 (UTC)
Received: from aion.redhat.com (unknown [10.22.16.176])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id CD9AD492BE2;
	Thu, 29 Feb 2024 23:52:22 +0000 (UTC)
Received: by aion.redhat.com (Postfix, from userid 1000)
	id 60D2B12BD35; Thu, 29 Feb 2024 18:52:22 -0500 (EST)
Date: Thu, 29 Feb 2024 18:52:22 -0500
From: Scott Mayhew <smayhew@redhat.com>
To: Orion Poplawski <orion@nwra.com>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: Cannot initiate mount with sec=krb5 as root from EL9 clients
Message-ID: <ZeEYttbCcrqTUO9z@aion>
References: <8b16410b-6b2b-406e-a669-41abee137932@nwra.com>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8b16410b-6b2b-406e-a669-41abee137932@nwra.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10

On Thu, 29 Feb 2024, Orion Poplawski wrote:

> We are starting to add some EL9 clients into the mix on our network.  Autofs
> mounts are working fine when initiated by a regular user, but they are failing
> when initiated by root.  This works fine from our EL8 clients.
> 
> Client:
> kernel 5.14.0-362.18.1.el9_3.x86_64
> nfs-utils-2.5.4-20.el9.x86_64
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 host/client.fqdn@NWRA.COM (aes256-cts-hmac-sha1-96)
>    1 host/client.fqdn@NWRA.COM (aes128-cts-hmac-sha1-96)
> 
> Server:
> kernel 4.18.0-513.18.1.el8_9.x86_64
> nfs-utils-2.3.3-59.el8.x86_64
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 host/server.fqdn@NWRA.COM (aes256-cts-hmac-sha1-96)
>    1 host/server.fqdn@NWRA.COM (aes128-cts-hmac-sha1-96)
>    1 nfs/server.fqdn@NWRA.COM (aes256-cts-hmac-sha1-96)
>    1 nfs/server.fqdn@NWRA.COM (aes128-cts-hmac-sha1-96)
> 
> Client rpc.gssd:
> 
> rpc.gssd[778]:
>                                handle_gssd_upcall(0x7f15a0299840): 'mech=krb5
> uid=0 enctypes=20,19,26,25,18,17' (nfs/clnt3)
> rpc.gssd[778]: start_upcall_thread(0x7f15a0299840): created thread id
> 0x7f159f1fe640
> rpc.gssd[778]: krb5_use_machine_creds(0x7f159f1fe640): uid 0 tgtname (null)
> rpc.gssd[778]: No key table entry found for client$@NWRA.COM while getting
> keytab entry for 'client$@NWRA.COM'
> rpc.gssd[778]: No key table entry found for CLIENT$@NWRA.COM while getting
> keytab entry for 'SRV-MRY01$@NWRA.COM'
> rpc.gssd[778]: No key table entry found for root/client.fqdn@NWRA.COM while
> getting keytab entry for 'root/client.fqdn@NWRA.COM'
> rpc.gssd[778]: No key table entry found for nfs/client.fqdn@NWRA.COM while
> getting keytab entry for 'nfs/client.fqdn@NWRA.COM'
> rpc.gssd[778]: find_keytab_entry(0x7f159f1fe640): Success getting keytab entry
> for 'host/client.fqdn@NWRA.COM'
> rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
> 'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar  1 10:39:34 2024
> rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
> 'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar  1 10:39:34 2024
> rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating tcp client for
> server server.fqdn
> rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating context with
> server nfs@server.fqdn
> rpc.gssd[778]: WARNING: Failed to create krb5 context for user with uid 0 for
> server nfs@server.fqdn
> rpc.gssd[778]: WARNING: Failed to create machine krb5 context with cred cache
> FILE:/tmp/krb5ccmachine_NWRA.COM for server server.fqdn
> rpc.gssd[778]: WARNING: Machine cache prematurely expired or corrupted trying
> to recreate cache for server server.fqdn
> rpc.gssd[778]: No key table entry found for client$@NWRA.COM while getting
> keytab entry for 'client$@NWRA.COM'
> rpc.gssd[778]: No key table entry found for CLIENT$@NWRA.COM while getting
> keytab entry for 'SRV-MRY01$@NWRA.COM'
> rpc.gssd[778]: No key table entry found for root/client.fqdn@NWRA.COM while
> getting keytab entry for 'root/client.fqdn@NWRA.COM'
> rpc.gssd[778]: No key table entry found for nfs/client.fqdn@NWRA.COM while
> getting keytab entry for 'nfs/client.fqdn@NWRA.COM'
> rpc.gssd[778]: find_keytab_entry(0x7f159f1fe640): Success getting keytab entry
> for 'host/client.fqdn@NWRA.COM'
> rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
> 'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar  1 10:39:34 2024
> rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
> 'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar  1 10:39:34 2024
> rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating tcp client for
> server server.fqdn
> rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating context with
> server nfs@server.fqdn
> rpc.gssd[778]: WARNING: Failed to create krb5 context for user with uid 0 for
> server nfs@server.fqdn
> rpc.gssd[778]: WARNING: Failed to create machine krb5 context with cred cache
> FILE:/tmp/krb5ccmachine_NWRA.COM for server server.fqdn
> rpc.gssd[778]: ERROR: Failed to create machine krb5 context with any
> credentials cache for server server.fqdn
> rpc.gssd[778]: do_error_downcall(0x7f159f1fe640): uid 0 err -13
> 
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> 
> I don't seem to be getting any useful information from rpc.gssd on the server.
> 
> Please include me in replies.

I'm pretty sure this is the same issue that would be addressed by the
patches that I sent to the list yesterday would address:
https://lore.kernel.org/linux-nfs/20240228222253.1080880-1-smayhew@redhat.com/T/#t

There's a couple things you could check.

1. On the NFS server, increase the rpc debug logging just a little:
# rpcdebug -m rpc -s auth

and then after a failure, look for lines like this in the journal:
Feb 29 18:14:44 rhel8.smayhew.test kernel: svc: svc_authenticate (6)
Feb 29 18:14:44 rhel8.smayhew.test kernel: gss_kerberos_mech: unsupported krb5 enctype 20
Feb 29 18:14:44 rhel8.smayhew.test kernel: RPC:       gss_import_sec_context_kerberos: returning -22
Feb 29 18:14:44 rhel8.smayhew.test kernel: RPC:       gss_delete_sec_context deleting 0000000090f401ca

2. On the NFS client, increase the rpc-verbosity in the gssd stanza in
/etc/nfs.conf (I have mine set to 3 but I think 1 would suffice) and
then 'systemctl restart rpc-gssd'.

then after a failure, look for a line like this in the journal:
Feb 29 18:14:44 rhel9.smayhew.test rpc.gssd[1700]: authgss_refresh: RPC: Unable to receive errno: Connection reset by peer

If you see both of those, then it's almost certainly the same issue.

A quick solution would be to do this on your NFS server:

# echo "mac@Kerberos = -HMAC-SHA2-*" >/usr/share/crypto-policies/policies/modules/NFS.pmod
# update-crypto-policies --set DEFAULT:NFS
# systemctl restart gssproxy

but note that would be turning off the SHA2 enctypes for everything
krb5-related, not just NFS.  Note you can always revert that later
simply by:

# update-crypto-policies --set DEFAULT
# systemctl restart gssproxy

Or, you could test the patches I sent to the list yesterday (this would
be on the client, not the server).  The problem is those patches don't
apply cleanly to the current version of nfs-utils shipped in EL9.  At a
quick glance, it looks like nfs-utils would need:

49567e7d configure: check for rpc_gss_seccreate
15cd5666 gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials
2bfb59c6 gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials
3abf6b52 gssd: switch to using rpc_gss_seccreate()
f05af7d9 gssd: revert commit 513630d720bd
20c07979 gssd: revert commit a5f3b7ccb01c
14ee4878 gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials
4b272471 gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials
75b04a9b gssd: fix handling DNS lookup failure
f066f87b gssd: enable forcing cred renewal using the keytab

and you'd also need to patch libtirpc to include:

22b1c0c gssapi: fix rpc_gss_seccreate passed in cred

-Scott

> 
> -- 
> Orion Poplawski
> he/him/his  - surely the least important thing about me
> Manager of IT Systems                      720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion@nwra.com
> Boulder, CO 80301                 https://www.nwra.com/