[36954] in Kerberos
Re: username/cron principals and cron
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Wed May 6 04:11:12 2015
Message-ID: <5549CC88.7080303@uni-koblenz.de>
Date: Wed, 06 May 2015 10:10:48 +0200
From: Rainer Krienke <krienke@uni-koblenz.de>
MIME-Version: 1.0
To: Frank Cusack <frank@linetwo.net>
In-Reply-To: <CAAyYNQgAup0gt_jQeDhNvk3kGjvXE5Za-oTnxxAJCNO7SOyRtA@mail.gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============1997739312=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1997739312==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms030304060400000706040706"
This is a cryptographically signed message in MIME format.
--------------ms030304060400000706040706
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello to everyone,
thank you Rank and thank you Robert for your answers. I tried to find
out more. Beeing root on a NFS4 client I ran the following commands with
different results. Before I tried this I commented out my auth_to_local
rules from /etc/krb5.conf:
# su username -c "/usr/bin/kinit username/cron@MYREALM; touch
/home/username/xx"
Password for username/cron@MYREALM: ******
touch: cannot touch `/home/username/xx': Permission denied
and after a reboot of the NFS client and after kdestroying all the
/tmp/krb5_* caches I ran this:
# su username -c "/usr/bin/kinit username@MYREALM; touch /home/username/x=
x"
Password for username@MYREALM: ******
# <success: no error message>
So using principal username/cron@MYREALM does not permit the unix user
username to write to NFS while principal username@MYREALM does.
Behind the scene there is an ldap server that NFS client and server are
configured to use in order to find out eg the uid of user "username" for
id mapping. Running a getent passwd username returns on both sides the
same entry with the same unix uid and gid.
So the question for me is, should a principal "username/cron" be
automaticall be mapped to a local unix user "username" so that
"username" is then allowd to access a NFS4 mounted directory that
belongs to "username". This is what does not work for me at the moment.
Does anyone have such a setup thats working? Is perhaps some kind of
flag needed for the kerberos cron-principal to make it work?
If I try to play around with auth_to_local rules, that to my
understading are thought for this purpose, where do I have to defined
them? On the NFS client, the NFS Server or the Kerberos Server or on all
of them?
Thanks a lot
Rainer
Am 05.05.2015 um 16:43 schrieb Frank Cusack:
> I'm surprised you need a mapping at all. The default mapping should
> simply strip any instance component. What happens if you kinit
> "manually" with username/cron using a password?
>=20
> On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krienke@uni-koblenz.de
> <mailto:krienke@uni-koblenz.de>> wrote:
>=20
> Hello,
>=20
> I am setting up a kerberos/NFS4 environment. Basically everything s=
eems
> to work. Every user has of course a princiapl username@MYREALM, whe=
re
> username is the unix user name. The users homes are on a kerberos/N=
FS4
> mounted directory.
>=20
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1=
312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
--------------ms030304060400000706040706
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPwDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
XjCCBEagAwIBAgIHF5mf2lfXsjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxOTE1MjQ1OFoXDTE5MDcwOTIzNTkwMFowgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rkBDHdIGttkOw7WYdJ2BisOniuHlJCPep/0pUeTb9QFLZaprodeeRm6kFix2XGl3h4imLu7d
Gwtu8oRRpGcZ6tm3i2VSpw1zxxk9uUV2sMiRHK2HVkN3qWFwq/RBOgPEaVNhdF5hMz7QZjZr
dXtXOM4LGG8kBZqD75Q+U0mbtDagOL1NIwtJuY3YqnL/6Hvptb4F30RDVUnYmhsWVX+RCNaM
vO1rU9gHHONICEv8AAP1XKRX4L7lB77wDpNZL6CImPp+xPHybnU6e98QjTa3InO40E8sCKch
XrWfpKeuwW8iXSTwjEp7zuhS39oDPwHmNYzPLEF4NO1LSUKK1PNFswIDAQABo4IB/jCCAfow
EgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
MB0GA1UdDgQWBBQv3ROYY1wLw2+47YbgAyfBb7q2AjAfBgNVHSMEGDAWgBRJt8bP6D0ff+pE
exMp9/EKcD7eZDAcBgNVHREEFTATgRFjYUByaHJrLnVuaS1rbC5kZTCBiAYDVR0fBIGAMH4w
PaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9j
YWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev
cHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHKMIHHMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA3rH+7oW8Dj5JvS3ijKWD
ByPxQpZispCRD/tR3Jx/wr/2z5B6NiozII7uAvd9ruZwBG/X4tmb2u+72FsymXJS1E+iffMJ
e18LsSUmE2wC61a/OFinQyVdz2GJJG+T59yEZARvEh+iRvaasX8ox0j80JR2mDwjnSKy1zBY
zk7Hg3gdgCjqAffWt0I/BsiV+mHdOWG/ubljt+j7jsCqBobUixc1wEXwSzzSq+sO5Xn7Mqst
pT2O9JkuCVcxhcKVEDAq6vErEpvJLafwkd5j+lkUaqnPQU8l449+ClRXlRcQUS7fy3C1zpi2
iR1RweUMoybqv7/7H6RU3g+cLiFgssc8fTCCBYEwggRpoAMCAQICBxjW+6gaJIQwDQYJKoZI
hvcNAQELBQAwgYIxCzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1
bHJlY2hlbnplbnRydW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIx
IDAeBgkqhkiG9w0BCQEWEWNhQHJocmsudW5pLWtsLmRlMB4XDTE1MDExNTA4NDUxM1oXDTE4
MDExNDA4NDUxM1owTDELMAkGA1UEBhMCREUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBLb2Js
ZW56LUxhbmRhdTEXMBUGA1UEAxMOUmFpbmVyIEtyaWVua2UwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3fk7YzkNprbcZLd1q5RPDhU0s7G4WNk7zlvhn3Qvtw7Dd9WXb+GCU
eDvWmjW5047V/mo+XSvGVow8b2vh8EYTaqrJtlahzKeGdnzx66vfEtG59WOPW4OJjz29wePZ
/SC+ihe/z6eHYlYvd7KNbLYSLrBtHzETfLsQfxA7WrSU49y2tyhWt+uGWpf9KDLXhgDSDXkE
GAlblcnF5Dy1a3s1ovpDz7sGIEtLb10Vmqzkl6ujvrFoC+XCWRA9LUHlGZoRhxMFGTfESQnu
OS4eEbsHbYa6hIl1RM/GOJZ+2f5tTLDwCemVpRgbw/A6VLtrf3BgbUFxV9HVpSDogqerBXSx
AgMBAAGjggIvMIICKzBABgNVHSAEOTA3MBEGDysGAQQBga0hgiwBAQQDAzARBg8rBgEEAYGt
IYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMEK3ZjogAOrQN9kqcad7GXo
IV9fMB8GA1UdIwQYMBaAFC/dE5hjXAvDb7jthuADJ8FvurYCMCEGA1UdEQQaMBiBFmtyaWVu
a2VAdW5pLWtvYmxlbnouZGUwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9yaHJrLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHNBggrBgEFBQcBAQSBwDCB
vTAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQ
MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2Vy
dC9nX2NhY2VydC5jcnQwQgYIKwYBBQUHMAKGNmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvcmhy
ay1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEARlGSlU2N
HUZUceWqCORu6GE01oJ4zlhBWzom12dCfDKQWdNh4ENsL/HBFvnXaUxiwBWtCuRtjougXPh0
6lTTgKMpTBvHqjp+YVBJjQiRXG8Pi03uQCgb6GmRn/rsQQCjNEpW0ooR2PeVLQxI8HcjY1Nu
2J7uyaEP9LXl0t1CdqQNtPkfKU6dFA/faZLPKrlDlDQhwwQteqRBu3BraD/vx+9DvHpW8GuY
A9nkm4ajLFZ6aFoHSzNg5B/e0w9ftJ8/QYjsC22B0a348kkYLcG2E7o62ruWHhGBZbPwtjzR
laMp6lVLB9AWMyR6nUMRcyqRrBDKXN9nfxoBJ1qJoCSi4jGCA8swggPHAgEBMIGOMIGCMQsw
CQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVt
IEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkB
FhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAJBgUrDgMCGgUAoIICETAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MDYwODEwNDhaMCMGCSqGSIb3
DQEJBDEWBBQOaEUCiX0JkdS7JKQOQQ5fwk1uBjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGfBgkrBgEEAYI3EAQxgZEwgY4wgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlAgcY1vuoGiSEMIGhBgsqhkiG9w0BCRACCzGBkaCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJKoZIhvcNAQEBBQAEggEAVsJa
Q5Cqsn8BeVSV4eg3xkd9Hfq33aZ1HaX5Y8GoA2n4S02eBFtw7t3PuvPjTzL+xNKYsBA2sIL4
skHGmGSsSH6MR4js/cWFh/GiDzjynl12Wo2ses7KR9TwUWtpCDoNyN+gBOONedDxgnBM5e08
oHqNEEdpPuXseJH+Endjrv1uUegIkII7zZQjJVk23RSYIJdWqCuxLrX5uUaaoJbVuq6w9wX8
pOz3EI/5wiaTCzr5dj3mTWsolNesXIrMsfC6DXj8ZKPUh7HLe42p3969aOW7FcVNTwR7kNpL
DrSm3CmEzNR+mwNFLHmTFRwVsNCXi4AG5Ty+jvlBNUa8d7xi3AAAAAAAAA==
--------------ms030304060400000706040706--
--===============1997739312==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1997739312==--
