[36955] in Kerberos
Re: username/cron principals and cron
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Wed May 6 10:05:15 2015
Message-ID: <554A1F87.3090406@uni-koblenz.de>
Date: Wed, 06 May 2015 16:04:55 +0200
From: Rainer Krienke <krienke@uni-koblenz.de>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <5549CC88.7080303@uni-koblenz.de>
Content-Type: multipart/mixed; boundary="===============2031060044=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2031060044==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms030802000206010204030801"
This is a cryptographically signed message in MIME format.
--------------ms030802000206010204030801
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Hello,
I think I found the answer to this problem:
Start a cronjob using a username/cron@REALM principle for a user who
has his home on NFS4/kerberos directory who wants to access his home
directory from within the cron job.
The solution has been discussed earlier here, I found the helpful hints
here in the archive:
http://search.gmane.org/?query=3Dkerberos+%26+cron+-+specifically+nfsv4+w=
%2Fsec%3Dkrb5p&group=3Dgmane.comp.encryption.kerberos.general
After all the cron-principal is just handled like NFS4 root access. In
this case the client sends nfs/machine.domain@REALM as principal to the
NFS server which can be rewritten to root in /etc/idmapd.conf by adding
a line like
nfs/machine.domain@REALM =3D root # allow NFS root access
in the static section. For the cron-principal things are very similar.
The principal visible at the NFS server for idmapping is simply
username/cron@REALM and can be rewritten to eg username so that a
cronjob authenticated with the help of this cron principal can also
write to NFS4 filesystems as unix user "username". So in this case you
add a line to /etc/idmapd.conf's static section like:
username/cron@REALM =3D username
I think you only have to do this on the NFS4 server. At the moment I
have this mapping on both NFS server and client but I guess configuring
it on the server should be sufficient.
Thanks
Rainer
Am 06.05.2015 um 10:10 schrieb Rainer Krienke:
> Hello to everyone,
>=20
> thank you Rank and thank you Robert for your answers. I tried to find
> out more. Beeing root on a NFS4 client I ran the following commands wit=
h
> different results. Before I tried this I commented out my auth_to_local=
> rules from /etc/krb5.conf:
>=20
>=20
> # su username -c "/usr/bin/kinit username/cron@MYREALM; touch
> /home/username/xx"
> Password for username/cron@MYREALM: ******
> touch: cannot touch `/home/username/xx': Permission denied
>=20
> and after a reboot of the NFS client and after kdestroying all the
> /tmp/krb5_* caches I ran this:
>=20
> # su username -c "/usr/bin/kinit username@MYREALM; touch /home/username=
/xx"
> Password for username@MYREALM: ******
> # <success: no error message>
>=20
> So using principal username/cron@MYREALM does not permit the unix user
> username to write to NFS while principal username@MYREALM does.
>=20
> Behind the scene there is an ldap server that NFS client and server are=
> configured to use in order to find out eg the uid of user "username" fo=
r
> id mapping. Running a getent passwd username returns on both sides the
> same entry with the same unix uid and gid.
>=20
> So the question for me is, should a principal "username/cron" be
> automaticall be mapped to a local unix user "username" so that
> "username" is then allowd to access a NFS4 mounted directory that
> belongs to "username". This is what does not work for me at the moment.=
>=20
> Does anyone have such a setup thats working? Is perhaps some kind of
> flag needed for the kerberos cron-principal to make it work?
> If I try to play around with auth_to_local rules, that to my
> understading are thought for this purpose, where do I have to defined
> them? On the NFS client, the NFS Server or the Kerberos Server or on al=
l
> of them?
>=20
> Thanks a lot
> Rainer
>=20
> Am 05.05.2015 um 16:43 schrieb Frank Cusack:
>> I'm surprised you need a mapping at all. The default mapping should
>> simply strip any instance component. What happens if you kinit
>> "manually" with username/cron using a password?
>>
>> On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krienke@uni-koblenz.de=
>> <mailto:krienke@uni-koblenz.de>> wrote:
>>
>> Hello,
>>
>> I am setting up a kerberos/NFS4 environment. Basically everything =
seems
>> to work. Every user has of course a princiapl username@MYREALM, wh=
ere
>> username is the unix user name. The users homes are on a kerberos/=
NFS4
>> mounted directory.
>>
>=20
>=20
>=20
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>=20
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1=
312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
--------------ms030802000206010204030801
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPwDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
XjCCBEagAwIBAgIHF5mf2lfXsjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxOTE1MjQ1OFoXDTE5MDcwOTIzNTkwMFowgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rkBDHdIGttkOw7WYdJ2BisOniuHlJCPep/0pUeTb9QFLZaprodeeRm6kFix2XGl3h4imLu7d
Gwtu8oRRpGcZ6tm3i2VSpw1zxxk9uUV2sMiRHK2HVkN3qWFwq/RBOgPEaVNhdF5hMz7QZjZr
dXtXOM4LGG8kBZqD75Q+U0mbtDagOL1NIwtJuY3YqnL/6Hvptb4F30RDVUnYmhsWVX+RCNaM
vO1rU9gHHONICEv8AAP1XKRX4L7lB77wDpNZL6CImPp+xPHybnU6e98QjTa3InO40E8sCKch
XrWfpKeuwW8iXSTwjEp7zuhS39oDPwHmNYzPLEF4NO1LSUKK1PNFswIDAQABo4IB/jCCAfow
EgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
MB0GA1UdDgQWBBQv3ROYY1wLw2+47YbgAyfBb7q2AjAfBgNVHSMEGDAWgBRJt8bP6D0ff+pE
exMp9/EKcD7eZDAcBgNVHREEFTATgRFjYUByaHJrLnVuaS1rbC5kZTCBiAYDVR0fBIGAMH4w
PaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9j
YWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev
cHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHKMIHHMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA3rH+7oW8Dj5JvS3ijKWD
ByPxQpZispCRD/tR3Jx/wr/2z5B6NiozII7uAvd9ruZwBG/X4tmb2u+72FsymXJS1E+iffMJ
e18LsSUmE2wC61a/OFinQyVdz2GJJG+T59yEZARvEh+iRvaasX8ox0j80JR2mDwjnSKy1zBY
zk7Hg3gdgCjqAffWt0I/BsiV+mHdOWG/ubljt+j7jsCqBobUixc1wEXwSzzSq+sO5Xn7Mqst
pT2O9JkuCVcxhcKVEDAq6vErEpvJLafwkd5j+lkUaqnPQU8l449+ClRXlRcQUS7fy3C1zpi2
iR1RweUMoybqv7/7H6RU3g+cLiFgssc8fTCCBYEwggRpoAMCAQICBxjW+6gaJIQwDQYJKoZI
hvcNAQELBQAwgYIxCzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1
bHJlY2hlbnplbnRydW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIx
IDAeBgkqhkiG9w0BCQEWEWNhQHJocmsudW5pLWtsLmRlMB4XDTE1MDExNTA4NDUxM1oXDTE4
MDExNDA4NDUxM1owTDELMAkGA1UEBhMCREUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBLb2Js
ZW56LUxhbmRhdTEXMBUGA1UEAxMOUmFpbmVyIEtyaWVua2UwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3fk7YzkNprbcZLd1q5RPDhU0s7G4WNk7zlvhn3Qvtw7Dd9WXb+GCU
eDvWmjW5047V/mo+XSvGVow8b2vh8EYTaqrJtlahzKeGdnzx66vfEtG59WOPW4OJjz29wePZ
/SC+ihe/z6eHYlYvd7KNbLYSLrBtHzETfLsQfxA7WrSU49y2tyhWt+uGWpf9KDLXhgDSDXkE
GAlblcnF5Dy1a3s1ovpDz7sGIEtLb10Vmqzkl6ujvrFoC+XCWRA9LUHlGZoRhxMFGTfESQnu
OS4eEbsHbYa6hIl1RM/GOJZ+2f5tTLDwCemVpRgbw/A6VLtrf3BgbUFxV9HVpSDogqerBXSx
AgMBAAGjggIvMIICKzBABgNVHSAEOTA3MBEGDysGAQQBga0hgiwBAQQDAzARBg8rBgEEAYGt
IYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMEK3ZjogAOrQN9kqcad7GXo
IV9fMB8GA1UdIwQYMBaAFC/dE5hjXAvDb7jthuADJ8FvurYCMCEGA1UdEQQaMBiBFmtyaWVu
a2VAdW5pLWtvYmxlbnouZGUwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9yaHJrLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHNBggrBgEFBQcBAQSBwDCB
vTAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQ
MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2Vy
dC9nX2NhY2VydC5jcnQwQgYIKwYBBQUHMAKGNmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvcmhy
ay1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEARlGSlU2N
HUZUceWqCORu6GE01oJ4zlhBWzom12dCfDKQWdNh4ENsL/HBFvnXaUxiwBWtCuRtjougXPh0
6lTTgKMpTBvHqjp+YVBJjQiRXG8Pi03uQCgb6GmRn/rsQQCjNEpW0ooR2PeVLQxI8HcjY1Nu
2J7uyaEP9LXl0t1CdqQNtPkfKU6dFA/faZLPKrlDlDQhwwQteqRBu3BraD/vx+9DvHpW8GuY
A9nkm4ajLFZ6aFoHSzNg5B/e0w9ftJ8/QYjsC22B0a348kkYLcG2E7o62ruWHhGBZbPwtjzR
laMp6lVLB9AWMyR6nUMRcyqRrBDKXN9nfxoBJ1qJoCSi4jGCA8swggPHAgEBMIGOMIGCMQsw
CQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVt
IEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkB
FhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAJBgUrDgMCGgUAoIICETAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MDYxNDA0NTVaMCMGCSqGSIb3
DQEJBDEWBBQ4yy/I512me0fEKyG/kkhJgxtGSTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGfBgkrBgEEAYI3EAQxgZEwgY4wgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlAgcY1vuoGiSEMIGhBgsqhkiG9w0BCRACCzGBkaCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJKoZIhvcNAQEBBQAEggEAYUIh
SwbeywPYIMYJ4t7ynewU/8qWr6uZpdlv4hz6aaxKN9m+PD941p+v04hO0PqNfrOAOrefuFrL
ES9eoO53fmUgaJxYtAZrSEg4THhxGGzTvL0kXd29bAbbPIECy25uQmqoXDpf2xcuCz1tyC6W
XyQ/7LTbsIXmL5nvXKqO3cCPSY+KzRtSpsmmEv3qYTiMg1BPfW7VjX/MQEFN+EhPGaFhwHEu
z8hsulCJQhCJ1C11pxciRp+3DI5oeY5hxzvWwCkwZw6I4h2YvD/kQDOznpu3V2xFclGZcDcz
kZtEmdfc0O4rhdmw2kmhY1m5Gu7hUG7WRz89M5dTFsNMV7VHcAAAAAAAAA==
--------------ms030802000206010204030801--
--===============2031060044==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2031060044==--
