[TUHS] NFS & Kerberos woes... — SOLVED
Grant Taylor
gtaylor at tnetconsulting.net
Thu Dec 27 16:24:00 AEST 2018
On 12/25/18 5:49 PM, Grant Taylor via TUHS wrote:
> Do any fellow TUHS subscribers have any experience with NFS,
> particularly in combination with Kerberos authentication?
After much toil and tribulation, I've managed to get things working.
> I'm messing with something that is making me think that Kerberos
> authentication (sec=krb5{,i,p}) usurps no_root_squash.
I've found that no_root_squash is still equally as applicable in
Kerberized NFS as it is in non-Kerberized NFS. no_root_squash actually
still does the same thing in Kerberized NFS.
I figured out (by grinding through possible options) that I needed to do
the following:
Add a new principal, root/host.sub.domain.tld, and add it to host's
(system wide) keytab file.
I also needed to configure and enable translations in the
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.
--8<--
[Static]
root/host.sub.domain.tld = root
[Translation]
GSS-Methods = static,nsswitch
-->8--
Hopefully this will help someone trying to do something similar in the
future.
Now, services running as root (sshd) are able to read files
(authorized_keys) that root doesn’t have permission to read (owned by
user and 0600) on an NFS mount (/home) that is using Kerberos
authentication.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181226/a3d03b62/attachment.bin>
More information about the TUHS
mailing list