[36174] in Kerberos
Re: NFSv4 and root access
daemon@ATHENA.MIT.EDU (Matt Garman)
Tue Jun 3 12:20:37 2014
MIME-Version: 1.0
In-Reply-To: <lmkr94$a2$1@ger.gmane.org>
Date: Tue, 3 Jun 2014 11:20:04 -0500
Message-ID: <CAJvUf-Ded=JZEvd+5yJD8ex2aw5=Ud19WmtcoLFYE-u2NA2PyA@mail.gmail.com>
From: Matt Garman <matthew.garman@gmail.com>
To: Jaap <jwinius@umrk.nl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jun 3, 2014 at 10:57 AM, Jaap <jwinius@umrk.nl> wrote:
> On Tue, 03 Jun 2014 10:08:29 -0500, Matt Garman wrote:
>
>> ... on my nfs client machines (which is several dozen), I
>> haven't even touched the /etc/idmapd.conf file.
>
> That's interesting. However, my experience is that if I don't run
> rpc.idmapd on the clients with at least "Domain = <mydomain>" in
> idmapd.conf, the files and directories in my mounted exports are all
> owned by nobody.nogroup. How do you prevent that?
Sorry, my mistake, you are correct. Indeed, I *do* modify the
/etc/idmapd.conf files on all the client machines. (This is done via
an automatic setup script when building up client machines, so it
slipped my mind.)
So, now, looking at the diff of my custom client-side /etc/idmapd.conf
versus my distro (CentOS 5.7) default, I make the following changes:
Domain = <mydomain>
Nobody-User = nfsnobody # default is nobody
Nobody-Group = nfsnobody # default is nobody
Going from memory, those last two changes might be specific to CentOS.
During my initial setup of all this, I additionally had Verbosity = 1
(but that's just a logging thing, doesn't change any behavior).
Apologies for the confusion!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
