I have a FreeIPA server setup in my homelab which provides Kerberos and identity services. It seems like overkill, and it probably is, but I wanted to be able to use NFS which means that I need a way to keep user and groups in sync across my various machines and VMs.

This also allows me to use the krb5 support in NFSv4 allowing various security improvements up to full encryption. From the man page;

Specifying sec=krb5 provides cryptographic proof of a user’s identity in each RPC request. This provides strong verification of the identity of users accessing data on the server. Note that additional configuration besides adding this mount option is required in order to enable Kerberos security. Refer to the rpc.gssd(8) man page for details.

Two additional flavors of Kerberos security are supported: krb5i and krb5p. The krb5i security flavor provides a cryptographically strong guarantee that the data in each RPC request has not been tampered with. The krb5p security flavor encrypts every RPC request to prevent data exposure during network transit; however, expect some performance impact when using integrity checking or encryption. Similar support for other forms of cryptographic security is also available.

My NAS box at the moment is running FreeNAS ¹, which is based on FreeBSD. For reasons I won’t go into I needed to do a fresh install of FreeNAS 11.

Pain Points

Getting everything working has caused me a fair bit of pain. FreeIPA is a damn sight easier to get going than setting up OpenLDAP and Kerberos manually, but it still takes a while to get to grips with the many moving parts if you’re unfamiliar. While RedHat has some great high level documentation which applies to RedHat and CentOS, I found documentation lacking in general for NFSv4, Kerberos and IPA. FreeNAS’s documentation too is a bit lacking.

Also I found it really difficult to get at useful debug information and logs which made it difficult to progress.

Useful info for fellow travellers

Frankly, I’m not entirely sure how I got everything working in the end, but I did find a few little tips that might help others going along the same path.

Setup everything with CentOS/Redhat only to start with

I found it really useful to get a working setup using only CentOS for the client and NFS server to start with.

The whole FreeIPA ecosystem is very RH/CentOS friendly and it’s much easier to get going. Everything’s a little better documented and a little more reliable.

When you’ve got everything working like this it’s easier to bring in FreeNAS or clients based on other distributions.

DNS is important

Make sure that all clients and servers can resolve each other with both forward and reverse DNS lookups.

Time must be in sync

Kerberos requires that time be in sync for everything involved. Make sure everything is pointing at the NTP server on the FreeIPA master.

Test kinit

Make sure you can do;

kinit user@IPA.DOMAIN

on everything. If that doesn’t work you’re going to have a bad time.

Enable more verbose logging for NFS on Linux

This can be very useful when trying to understand why a NFS mount is failing.

Enable NFS debug;

# Client
rpcdebug -m nfs -s all
# Server
rpcdebug -m nfsd -s all

Disable NFS debug;

# Client
rpcdebug -m nfs -c all
# Server
rpcdebug -m nfsd -c all

I can never get useful information out of FreeNAS. It could be my unfamiliarity with FreeBSD.

Man Pages

The man pages are some of the best documentation you’ll find.

On FreeNAS/FreeBSD;

man nfsd
man gssd
man exports
man nfsv4
man nfsuserd

On Linux;

man nfs
man exports
man nfsd

Misc Useful Tips and Links

Sorry this is not more organised, but hopefully it’ll give clues to others struggling with related problems.

• On FreeNAS ensure “Require Kerberos for NFSv4” is checked. See source
• Useful debug information from IBM
• Useful debug information from Ubuntu
• Unread but promising troubleshooting tips
• NFS and FreeIPA
• Linux NFS Official FAQ
• Introduction to Kerberos
• Linux Domain Identity and Authentication and Policy Guide
• FreeIPA Troubleshooting Guide