[TUHS] NFS & Kerberos woes... — SOLVED

[Grant Taylor]

On 12/25/18 5:49 PM, Grant Taylor via TUHS wrote:
> Do any fellow TUHS subscribers have any experience with NFS, 
> particularly in combination with Kerberos authentication?

After much toil and tribulation, I've managed to get things working.

> I'm messing with something that is making me think that Kerberos 
> authentication (sec=krb5{,i,p}) usurps no_root_squash.

I've found that no_root_squash is still equally as applicable in 
Kerberized NFS as it is in non-Kerberized NFS.  no_root_squash actually 
still does the same thing in Kerberized NFS.

I figured out (by grinding through possible options) that I needed to do 
the following:

Add a new principal, root/host.sub.domain.tld, and add it to host's 
(system wide) keytab file.

I also needed to configure and enable translations in the 
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.

--8<--
[Static]
root/host.sub.domain.tld = root

[Translation]
GSS-Methods = static,nsswitch
-->8--

Hopefully this will help someone trying to do something similar in the 
future.

Now, services running as root (sshd) are able to read files 
(authorized_keys) that root doesn’t have permission to read (owned by 
user and 0600) on an NFS mount (/home) that is using Kerberos 
authentication.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181226/a3d03b62/attachment.bin>