Project

General

Profile

Bug #9561

sharenfs doesn't accept sec=krb5 option

Added by Adam Stylinski almost 2 years ago. Updated almost 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2018-05-29
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

It appears that when setting zfs set sharenfs=sec=krb5, it returns:

cannot set property for 'archive/testkerbnfs': 'sharenfs' cannot be set to invalid options

share -F nfs allows me to set this option with -o.

History

#1

Updated by Yuri Pankov almost 2 years ago

Make sure you have /etc/nfssec.conf modified accordingly.

#2

Updated by Adam Stylinski almost 2 years ago

cat /etc/nfssec.conf 
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2001 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "%Z%%M% %I%     %E% SMI" 
#
# The NFS Security Service Configuration File.
#
# Each entry is of the form:
#
#       <NFS_security_mode_name> <NFS_security_mode_number> \
#               <GSS_mechanism_name> <GSS_quality_of_protection> <GSS_services>
#
#
# The "-" in <GSS_mechanism_name> signifies that this is not a GSS mechanism.
# A string entry in <GSS_mechanism_name> is required for using RPCSEC_GSS
# services.  <GSS_quality_of_protection> and <GSS_services> are optional.
# White space is not an acceptable value.
#
# default security mode is defined at the end.  It should be one of
# the flavor numbers defined above it.
#
none            0       -       -       -       # AUTH_NONE
sys             1       -       -       -       # AUTH_SYS
dh              3       -       -       -       # AUTH_DH
#
# Uncomment the following lines to use Kerberos V5 with NFS
#
krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
default         1       -       -       -                       # default is AUTH_SYS
#3

Updated by Yuri Pankov almost 2 years ago

For me it's as the following, running vanilla illumos-gate 8dfe5547fb (~latest):

# zfs create rpool/nfs
# grep ^krb /etc/nfssec.conf
# zfs set sharenfs=sec=krb5 rpool/nfs
cannot set property for 'rpool/nfs': 'sharenfs' cannot be set to invalid options
# vim /etc/nfssec.conf
# grep ^krb /etc/nfssec.conf
krb5               390003  kerberos_v5     default -               # RPCSEC_GSS
krb5i              390004  kerberos_v5     default integrity       # RPCSEC_GSS
krb5p              390005  kerberos_v5     default privacy         # RPCSEC_GSS
# zfs set sharenfs=sec=krb5 rpool/nfs
#

So apparently it's not zfs share (via libshare) problem.

#4

Updated by Adam Stylinski almost 2 years ago

Hmm, I just tried it again and it worked. Maybe it happens going from one setting to another? I can't seem to reproduce this anymore, either.

#5

Updated by Yuri Pankov almost 2 years ago

I guess you did the initial `zfs set sharenfs` when you had the krb still disabled in nfssec.conf, then uncommented it and `share -F nfs` worked; not seeing any other explanation here as this doesn't require restarting any services or anything similar.

#6

Updated by Marcel Telka almost 2 years ago

  • Status changed from New to Rejected

This does not look as a bug. Closing.

Also available in: Atom PDF