Re: NFS & Kerberos woes... — SOLVED

Grant Taylor cctalk at gtaylor.tnetconsulting.net
Thu Dec 27 00:22:26 CST 2018


On 12/25/18 5:50 PM, Grant Taylor via cctalk wrote:
> Do any fellow cctalk / cctech subscribers have any experience with NFS, 
> particularly in combination with Kerberos authentication?

After much toil and tribulation, I've managed to get things working.

> I'm messing with something that is making me think that Kerberos 
> authentication (sec=krb5{,i,p}) usurps no_root_squash.

I've found that no_root_squash is still equally as applicable in 
Kerberized NFS as it is in non-Kerberized NFS.  no_root_squash actually 
still does the same thing in Kerberized NFS.

I figured out (by grinding through possible options) that I needed to do 
the following:

Add a new principal, root/host.sub.domain.tld, and add it to host's 
(system wide) keytab file.

I also needed to configure and enable translations in the 
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.

--8<--
[Static]
root/host.sub.domain.tld = root

[Translation]
GSS-Methods = static,nsswitch
-->8--

Hopefully this will help someone trying to do something similar in the 
future.

Now, services running as root (sshd) are able to read files 
(authorized_keys) that root doesn’t have permission to read (owned by 
user and 0600) on an NFS mount (/home) that is using Kerberos 
authentication.



-- 
Grant. . . .
unix || die


More information about the cctech mailing list