Strange "SECINFO: security flavor .." messages

Strange "SECINFO: security flavor .." messages

[Holger Hoffstätte]

Hi,

After restarting my server and a client re-automounts, I see the
following in the server's dmesg:

[  706.454187] NFS: SECINFO: security flavor 390003 is not supported
[  706.454621] NFS: SECINFO: security flavor 390004 is not supported
[  706.455057] NFS: SECINFO: security flavor 390005 is not supported

I've been completely unsuccessful in trying to discern what these
mean and how I can get rid of them; they don't seem to be harmful
since everything else works just fine, and has done so for years.
I think this started with NFS 4.2 not too long ago, but don't remember
for certain. The server exports several mounts, ext4 and xfs.
Clients use only NFS v4 via automount. All on 4.4.6.

Relevant server config excerpt:

holger>grep NFS /etc/kernels/kernel-config-x86_64-4.4.6
CONFIG_KERNFS=y
CONFIG_NFS_FS=m
CONFIG_NFS_V2=m
CONFIG_NFS_V3=m
# CONFIG_NFS_V3_ACL is not set
CONFIG_NFS_V4=m
# CONFIG_NFS_SWAP is not set
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_PNFS_FILE_LAYOUT=m
CONFIG_PNFS_BLOCK=m
CONFIG_PNFS_FLEXFILE_LAYOUT=m
CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
# CONFIG_NFS_V4_1_MIGRATION is not set
CONFIG_NFS_V4_SECURITY_LABEL=y
# CONFIG_NFS_FSCACHE is not set
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
CONFIG_NFSD=m
CONFIG_NFSD_V3=y
# CONFIG_NFSD_V3_ACL is not set
CONFIG_NFSD_V4=y
# CONFIG_NFSD_PNFS is not set
CONFIG_NFSD_V4_SECURITY_LABEL=y
# CONFIG_NFSD_FAULT_INJECTION is not set
CONFIG_NFS_COMMON=y

CONFIG_NFS_V4_SECURITY_LABEL was recently added in the hope that this
might be it, but no luck.

Can anybody please explain what is missing here? It's not critical,
but I really don't like seemingly unnecessary log messages that I don't
understand.

Thanks!
Holger

Re: Strange "SECINFO: security flavor .." messages

[J. Bruce Fields]

On Thu, Apr 07, 2016 at 10:38:55PM +0000, Holger Hoffstätte wrote:
> Hi,
> 
> After restarting my server and a client re-automounts, I see the
> following in the server's dmesg:
> 
> [  706.454187] NFS: SECINFO: security flavor 390003 is not supported
> [  706.454621] NFS: SECINFO: security flavor 390004 is not supported
> [  706.455057] NFS: SECINFO: security flavor 390005 is not supported
> 
> I've been completely unsuccessful in trying to discern what these
> mean and how I can get rid of them; they don't seem to be harmful
> since everything else works just fine, and has done so for years.
> I think this started with NFS 4.2 not too long ago, but don't remember
> for certain. The server exports several mounts, ext4 and xfs.
> Clients use only NFS v4 via automount. All on 4.4.6.

What does "exportfs -v" say?  What about "cat
/proc/net/rpc/nfsd.export/content" right after the client's
mount/remount?

Re: Strange "SECINFO: security flavor .." messages

[Holger Hoffstätte]

On Fri, 08 Apr 2016 14:41:11 -0400, J. Bruce Fields wrote:

> On Thu, Apr 07, 2016 at 10:38:55PM +0000, Holger Hoffstätte wrote:
>> Hi,
>> 
>> After restarting my server and a client re-automounts, I see the
>> following in the server's dmesg:
>> 
>> [  706.454187] NFS: SECINFO: security flavor 390003 is not supported
>> [  706.454621] NFS: SECINFO: security flavor 390004 is not supported
>> [  706.455057] NFS: SECINFO: security flavor 390005 is not supported
>> 
>> I've been completely unsuccessful in trying to discern what these
>> mean and how I can get rid of them; they don't seem to be harmful
>> since everything else works just fine, and has done so for years.
>> I think this started with NFS 4.2 not too long ago, but don't remember
>> for certain. The server exports several mounts, ext4 and xfs.
>> Clients use only NFS v4 via automount. All on 4.4.6.
> 
> What does "exportfs -v" say?

The same for every export (please hold your nose ;), e.g.

/home/holger 192.168.100.0/24(rw,async,wdelay,insecure,no_root_squash,no_subtree_check,sec=sys,rw,insecure,no_root_squash,no_all_squash)
..etc..

Apparently I specify redundant (default) options for the exports, but
whatever.

> What about "cat /proc/net/rpc/nfsd.export/content" right after the
> client's mount/remount?

Right now:

$cat /proc/net/rpc/nfsd.export/content 
#path domain(flags)
/home/holger	192.168.100.0/24(rw,insecure,no_root_squash,async,wdelay,no_subtree_check,uuid=deeff5a9:4d0144ae:9b74badc:38c506cb,sec=1)

> From a quick glance at the code--I think that means the server believes
> that the given export is meant to be available using the krb5 flavors
> (krb5, krb5i, krb5p), but that the kernel doesn't support that flavor.

Interesting! Indeed, the increasing number looks like an attempt
at protocol negotiation - I just didn't associate that with krb.

I have built nfs-utils on both server and client without kerberos
support, maybe I should enable that? I'd rather not without a good
reason, though.

> If that's because you've got something like "sec=sys:krb5:krb5i:krb5p"
> set on that export, then that's a little odd and I think worth warning
> about--you've asked the kernel to do something it can't do.

Nothing of the sort. Security is no issue at all since I'm the only user
here.

thanks,
Holger