25 Dec
2018
25 Dec
'18
4:50 p.m.
Do any fellow cctalk / cctech subscribers have any experience with NFS,
particularly in combination with Kerberos authentication?
I'm messing with something that is making me think that Kerberos
authentication (sec=krb5{,i,p}) usurps no_root_squash.
Meaning that root can't access files owned by other users with go-rwx.
Almost as if no_root_squash wasn't configured on the export.
Does anyone have a spare bone that they would be willing to throw my way?
--
Grant. . . .
unix || die
--
Grant. . . .
unix || die
26 Dec
26 Dec
10:22 p.m.
New subject: NFS & Kerberos woes... — SOLVED
On 12/25/18 5:50 PM, Grant Taylor via cctalk wrote:
Do any fellow cctalk / cctech subscribers have any
experience with NFS,
particularly in combination with Kerberos authentication?
After much toil and tribulation, I've managed to get things working.
I'm messing with something that is making me think
that Kerberos
authentication (sec=krb5{,i,p}) usurps no_root_squash.
I've found that no_root_squash is still equally as applicable in
Kerberized NFS as it is in non-Kerberized NFS. no_root_squash actually
still does the same thing in Kerberized NFS.
I figured out (by grinding through possible options) that I needed to do
the following:
Add a new principal, root/host.sub.domain.tld, and add it to host's
(system wide) keytab file.
I also needed to configure and enable translations in the
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.
--8<--
[Static]
root/host.sub.domain.tld = root
[Translation]
GSS-Methods = static,nsswitch
-->8--
Hopefully this will help someone trying to do something similar in the
future.
Now, services running as root (sshd) are able to read files
(authorized_keys) that root doesn?t have permission to read (owned by
user and 0600) on an NFS mount (/home) that is using Kerberos
authentication.
--
Grant. . . .
unix || die
2186
days inactive
2187
days old
1 comments
1 participants
participants (1)
-
cctalk@gtaylor.tnetconsulting.net