QNAP NAS Community Forum

Hi,
I'm quite a new user of a QNAP TS-464 and so far it does everything I could hope for and more. With the most recent update QuTS became an option, so I've reinitialised the NAS to begin using ZFS.

But I've hit a problem. I want to use "sec=krb5" for the NFS shared folders, so that the userids are mapped between the clients and the server automatically - this requires Kerberos authentication between the client and server.

I've read a LOT of documents online about how to achieve this. They all suggest that you have to configure the NAS as an Active Directory Domain Server, which I have done: Also what I've read online says that I need to join the NAS into the AD domain, but the options to do that are greyed out, but the text seems to suggest that the NAS has been automatically added: Is this correct? Or should those options be available for me to add the NAS to the AD domain?

The AD server (samba) should support authentication with Kerberos - I've tested the ability to obtain a ticket from it using the krb tools on a client Linux command line. So this would suggest the Kerberos side is working OK.

Online, it's been suggested that the DNS servers for the NAS need to point to the local host (127.0.1.1 - as was offered in the initial set up screen after the initialisation), and the main DNS server for my network as the secondary. This is how things are configured and DNS on the NAS seems to be operating correctly, with the AD domain (afterdark.lan) looking up to the NAS IP.

Once this is all configured, i enable the NFSv4 and NFSv4.1 sharing.

Now, when it comes to sharing a share via NFS, there is no way I can change the security setting from "sys" to anything else. The option is not enabled: What am I doing wrong? How do I change the security from sys to krb5?
I've convinced myself (despite reading many, many pages online) that I'm missing a step or just being dumb.

Can anyone offer a complete step by step as to how to enable use of krb5 security, or point me in a direction that may help me resolve this?

Thanks!

I've just spent the last hour or so going through every section on Control Panel reading every bit of help text available and tinkering with any setting that looked like it might have an affect on the NFS security option.

I'm about ready to tare out what little hair I have left!

Is it even possible to set sec=krb5 on the NAS? Does anyone actually have this set up to confirm it's, at the very least, possible?

Thanks

I raised a support request with QNAP and have been testing things for them over the last few days.

It seems there is a problem with being able to select krb5 security when the NAS is ACTING as the Domain Controller for Active Directory. The problem does not manifest itself if the NAS is JOINED to an already existing AD DC.

The support chappy says that the NAS should be able to act as the DC and offer krb5 security for NFS.

QNAP seem to be taking the issue seriously as they've raised it as a problem with the developers to look into. I should hear back from them once they have an answer.

Did you get any response in this?

I've waited years for secure NFS and I thought I had i within my grasp... but no

I've opened another ticket Q-202504-07668 for this - hopefully QNAP will combine the issue and I can track progress

For the record:

Thanks for contacting QNAP support, this is something that has been raised with our R&D previously. The short answer is that it's a limitation and cannot be done. The longer answer is the Kerberos security option for NFS shared folders is only supported when the NAS is joined to an external Active Directory domain.

When the NAS is set up as a Domain Controller, this feature isn’t available due to current limitations in how Samba is integrated on QNAP systems, even though Samba itself does support AD DC roles. At this time, this is by design, and using Kerberos with NFS requires the NAS to be a domain member, not the controller.

There is a feature request raised for this, but as this is a core implementation, I am not sure it will be something will be changed or if it is then it may take some time (that's just my opinion).

I suppose that Samba has problems running on a machine that has joined a domain, but the kernel NFS server needs to run on a machine that has joined a domain.