Highlighted
andykang
1 Copper

Kerberized NFS on Mac OS X

Has anyone been able to mount NFSv3 or NFSv4 using kerberized NFS on Mac OS 10.9, 10.10 or 10.11? We have this working in Linux, but not Mac.

We are able to mount using AUTH_SYS, but using the sec=krb5 mount option results in an "Operation not permitted" error. Our Macs are bound to AD and are using Unix uid/gids.

as root works:

su root

mount -t nfs nfs.server.com:/ifs/test /mnt/nfs


as a domain user does not:

kinit

mount -t nfs -o sec=krb5 nfs.server.com:/ifs/test /mnt/nfs

mount_nfs: can't mount /ifs/test from nfs.server.com onto /mnt: Operation not permitted


In our troubleshooting, we came across this article which details how kerberized NFS is not compatible with AD:

Computer Laboratory – Dr Markus Kuhn: OS X Kerberized NFS is incompatible with Active Directory


So we tried testing with 10.9.5 with the changes to krb5.conf with no luck.


After reaching out to Apple, we have tested with macOS Sierra as it's supposed to have AES support in RPCSEC_GSS and still no luck.





0 Kudos
1 Reply
8 Krypton

Re: Kerberized NFS on Mac OS X

Hi there,

What I'm going to share below has not been updated in quite some time as I just haven't had time to go back and test newer OS X combinations with AD (and even newer versions of OneFS), but this is what I came up for a working Kerberized NFSv3 setup with OS X and AD. Last update on this was December of 2013 and was done for OneFS 6.5 which was still using kernel NFS. If your cluster is running 7.2 or later then any cluster sysctl changes won't work as the NFS service has been moved out of the kernel and into userspace.

I hope this helps...

OS X idiosyncrasies


  • OS X 10.6 and earlier uses MIT Kerberos
  • OS X 10.6 likes to use DES-CBC-CRC for its session key and DES3-CBC-SHA1 for its ticket.
  • OS X 10.7 and later uses Heimdal Kerberos, and uses DES3-CBC-SHA1 for its ticket.
  • The NFS client in OS X seems hard-coded to use DES3-CBC-SHA1 when not using weak crypto.

10.7, 10.8, and 10.9 client against AD


Notes

  • In order to get the Mac to do Kerberized NFS against AD, you have to enable DES support:
    • In AD (GPO in 2008 AD, and on the account in both 2003 and 2008 AD)
    • On the Mac, via krb5.conf, via enabling weak crypto support.
    • This is all a requirement for 2003. 2008, which supports AES, may work differently when OneFS adds NFS support for AES ( bug 101498 ).
  • Customers may not like having to enable to DES support. There is no other way to get this working (see references section below).


AD setup


  • In the user account used for mounting (under 2003 AD), enable "Use DES encryption types for this account"
    • If you set this on the domain account that you use to join the cluster to the domain, the domain join will fail. Packet capture will show that the DC returns KRB5KDC_ERR_ETYPE_NOSUPP when the cluster sends encryption types of rc4-hmac, des-cbc-md5, and des-cbc-crc. You'll have to leave this option unchecked just to get the domain join to succeed.
    • You'll need to turn DES support back on, after you do this, if you're going to use the same account for NFS mounting.
  • DNS delegation set to send SC zone queries to the cluster's SC service IP.
  • All IPs in the SmartConnect zone set to reverse resolve to the SC zone name.


Cluster setup

  • In my environment, the SC zone name was bernie-655.bernielab.com.
    • The cluster was called bernie-65524 and was running 6.5.5.24.
    • Best to get your SC zone set up before you join the domain, as that gets the SPNs added correctly to the machine account.
  • Set NFS principal:

sysctl vfs.nfsrv.principal_instance=bernie-655.bernielab.com

  • Create NFS export and under Advanced, make sure KRB5 is selected (not sys)
  • Kill services and look for "Succeed" in nfs.log when it tries to get its credential:

isi_for_array -s "killall gssd" isi_for_array -s "killall nfsd" isi_for_array -s "killall -HUP nfsd" isi_for_array -s "tail -5 /var/log/nfs.log"

  • What you're looking for in /var/log/nfs.log is something like this:
2013-09-16T13:11:58-07:00 <3.6> bernie-65524-1(id1) gssd[5116]: Generated dynamic keytab from pstore 2013-09-16T13:12:08-07:00 <3.6> bernie-65524-1(id1) nfsd[3802]: Acquiring credential for principal: nfs/bernie-655.bernielab.com 2013-09-16T13:12:08-07:00 <3.6> bernie-65524-1(id1) nfsd[3802]: Succeeded, acquired credentials for nfs/bernie-655.bernielab.com 


Mac setup and mounting


  • Join to AD
  • Log in with AD account
  • Enable admin access for the AD account, so you can use sudo (in System Preferences > Users & Groups)
  • Add this to /etc/krb5.conf on the Mac:

[libdefaults] allow_weak_crypto = true

  • Add this line to /etc/nfs.conf on the Mac:
nfs.client.mount.options=sec=krb5 
  • Shut down the Mac, then restart, and when it comes back up, log back in with an AD account.
  • Attempt the mount from Finder > Go > Connect to Server. Enter nfs://fqdn/mountpoint.
    • fqdn in this context is the SC zone name you've configured on the cluster.
  • If you're trying to mount from the CLI, make a mountpoint (mine was /mnt), and then mount:

sudo mount -o sec=krb5 bernie-655.bernielab.com:/ifs/data/berniec1 /mnt


Troubleshooting


  • If using the administrator account, you might have to reset its password before testing, so that its DES key is properly generated.
  • To test that you can get a ticket on the Mac run kdestroy, followed by kinit username@REALM.
    • Use klist -v to verify you have a ticket.
  • To verify that clients are authenticated with their principal, run isi statistics client on your cluster, and look for NFSv3 traffic from your clients.


References


Originally, it looked like none of this would work on the Mac, and I had found the following details from other users that had difficulty. Keeping these here just in case I need to refer back to them.