Holy shit is Kerberized NFS cancer!

published Nov 08, 2018

The fight to get Kerberized NFS to work, even in the simplest of environments, is 100000% absurdly ridiculous.

The stack is unbelievably complex -- NFS server, RPC GSSD, GSS proxy, interposer plugins, and the Kerberos 5 system itself.

If there's any error -- and making errors is easy -- such as "oh, your client's GSS proxy cache is out of date, because you updated your server krb5.keytab, but the client's rpc.gssd keeps retrying with the old KVNO keytab entry", there's absolutely nothing that will help you figure this out, unless you toggle some very arcane command-line flags in some absurd shell config files.  Tweak the wrong setting (and there's many to tweak), and suddenly other parts of the stack may begin to fail, often in other machines.

To complicate matters even further: at least in Fedora, you need to add several SELinux AVC audit2allow rules, because the daemons flat out don't work with SELinux enabled (gssproxy and rpc.gssd get denials trying to access D-BUS, and so does the kernel upcall interface).  And how does this manifest?  The mounts just hang for 30 seconds when listing them, but only randomly.

The documentation available online is poor, inconsistent, or flat out wrong.  There's no actual tutorial explaining concepts and step-by-step instructions with rationales.  To top it all of, no one actually explains in their shit "tutorials" that every user must be authenticated on a client machine -- and therefore must have a corresponding principal on the Kerberos KDC server -- for an NFS mount to actually show anything.

I'll say it: fuck whoever invented the unholy marriage of Kerberos, General Security Services, and NFS.