[TUHS] NFS & Kerberos woes... — SOLVED

Grant Taylor gtaylor at tnetconsulting.net
Thu Dec 27 16:24:00 AEST 2018

On 12/25/18 5:49 PM, Grant Taylor via TUHS wrote:
> Do any fellow TUHS subscribers have any experience with NFS, 
> particularly in combination with Kerberos authentication?

After much toil and tribulation, I've managed to get things working.

> I'm messing with something that is making me think that Kerberos 
> authentication (sec=krb5{,i,p}) usurps no_root_squash.

I've found that no_root_squash is still equally as applicable in 
Kerberized NFS as it is in non-Kerberized NFS.  no_root_squash actually 
still does the same thing in Kerberized NFS.

I figured out (by grinding through possible options) that I needed to do 
the following:

Add a new principal, root/host.sub.domain.tld, and add it to host's 
(system wide) keytab file.

I also needed to configure and enable translations in the 
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.

root/host.sub.domain.tld = root

GSS-Methods = static,nsswitch

Hopefully this will help someone trying to do something similar in the 

Now, services running as root (sshd) are able to read files 
(authorized_keys) that root doesn’t have permission to read (owned by 
user and 0600) on an NFS mount (/home) that is using Kerberos 

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181226/a3d03b62/attachment.bin>

More information about the TUHS mailing list