Re: NFS & Kerberos woes... — SOLVED
Grant Taylor
cctalk at gtaylor.tnetconsulting.net
Thu Dec 27 00:22:26 CST 2018
On 12/25/18 5:50 PM, Grant Taylor via cctalk wrote:
> Do any fellow cctalk / cctech subscribers have any experience with NFS,
> particularly in combination with Kerberos authentication?
After much toil and tribulation, I've managed to get things working.
> I'm messing with something that is making me think that Kerberos
> authentication (sec=krb5{,i,p}) usurps no_root_squash.
I've found that no_root_squash is still equally as applicable in
Kerberized NFS as it is in non-Kerberized NFS. no_root_squash actually
still does the same thing in Kerberized NFS.
I figured out (by grinding through possible options) that I needed to do
the following:
Add a new principal, root/host.sub.domain.tld, and add it to host's
(system wide) keytab file.
I also needed to configure and enable translations in the
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.
--8<--
[Static]
root/host.sub.domain.tld = root
[Translation]
GSS-Methods = static,nsswitch
-->8--
Hopefully this will help someone trying to do something similar in the
future.
Now, services running as root (sshd) are able to read files
(authorized_keys) that root doesn’t have permission to read (owned by
user and 0600) on an NFS mount (/home) that is using Kerberos
authentication.
--
Grant. . . .
unix || die
More information about the cctech
mailing list