kerberized NFSv4 client reporting operation not permitted when mounting with sec=sys

[updatesto]

Hi everybody,

I have a kerberized NFSv4 server that is exporting a mountpoint:

Code: Select all

/home 10.0.0.0/8(rw,no_subtree_check,sec=krb5:krb5i:krb5p)

if I mount that export with this command on the client, it works as expected:

Code: Select all

/sbin/mount.nfs4 NFS.domain:/home /network/home -o _netdev,noatime,hard,sec=krb5

However, if I modify the export to be

Code: Select all

/home 10.0.0.0/8(rw,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

and I mount that export with sec=sys, as

Code: Select all

/sbin/mount.nfs4 NFS.domain:/home /network/home -o _netdev,noatime,hard,sec=sys

I get the following error:

Code: Select all

mount.nfs4: timeout set for Fri Jan 17 14:11:32 2020
mount.nfs4: trying text-based options 'hard,sec=sys,vers=4.1,addr=10.2.2.9,clientaddr=10.2.0.12'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: Operation not permitted

What might be the reason for this behavior?

[hunter86_bg]

You try to allow both kerberized and non-kerberized access to a share ... I'm not sure that it is possible.

Edit:
Actually, this should be possible.
What happens , when you use 'sec=sys' only ?

[updatesto]

Sorry for the late reply, I think I did not get the notification with your answer. I get the also the operation not permitted error.

[hunter86_bg]

So the non-kerberized settings are broken, or there is a bug.
Try on a test VM to setup a share and then compare your settings.