[36176] in Kerberos
Re: NFSv4 and root access [SOLUTION]
daemon@ATHENA.MIT.EDU (Jaap)
Tue Jun 3 22:17:59 2014
To: kerberos@mit.edu
From: Jaap <jwinius@umrk.nl>
Date: Wed, 4 Jun 2014 02:17:26 +0000 (UTC)
Message-ID: <lmlvjm$a2$3@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 30 May 2014 10:57:45 -0500, Matt Garman wrote:
> Then under the [Static] section of idmapd.conf (on the nfsv4 server), I
> have:
> matt/cron@REALM = matt
>
> *** Note that you also need "static" listed as one of your GSS-Methods
> under the [Translation] section of idmapd.conf, i.e.:
>
> [Translation]
> GSS-Methods = nsswitch,static
>
> That one confused me for a while when I was setting this up!
Yes, I have a solution! You practically spelled it out for me, Matt.
Consequently, after just a little more perseverance I hit upon a
configuration that worked for me. In case you're interested (comments
welcome)...
** On the client (hostname: daboia.umrk.nl)
* In /etc/fstab:
cerastes.umrk.nl:/ /nfs nfs4
sec=krb5i,rw,_netdev,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
* In /etc/idmapd.conf:
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = umrk.nl
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
* The name of the host principal used is:
host/daboia.umrk.nl@UMRK.NL
** On the server (hostname: cerastes.umrk.nl)
* In /etc/fstab:
/data2 /nfs/data2 none bind 0 0
/data4 /nfs/data4 none bind 0 0
* Exported directory structure:
root@cerastes:~# ll /nfs
total 32K
drwxr-xr-x 7 root root 4.0K Jun 4 02:40 ./
drwxr-xr-x 25 root root 4.0K Jun 4 02:39 ../
drwxr-xr-x 2 root root 4.0K Apr 6 11:17 data/
drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:38 data2/
drwxr-xr-x 2 jwinius jwinius 4.0K May 24 16:42 data3/
drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:57 data4/
drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:39 data5/
drwxr-xr-x 2 root root 4.0K Jun 4 03:26 data6/
* In /etc/exports:
/nfs gss/krb5i(ro,no_root_squash,no_subtree_check,crossmnt,fsid=0)
/nfs/data gss/krb5i(ro,no_root_squash,no_subtree_check)
/nfs/data2 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data3 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data4 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data5 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data6 gss/krb5i(rw,root_squash,no_subtree_check)
* In /etc/idmapd.conf:
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = umrk.nl
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Static]
host/daboia.umrk.nl@UMRK.NL = root
[Translation]
GSS-Methods = nsswitch,static
* The name of the host principal used is:
root/cerastes.umrk.nl@UMRK.NL
Note: I could just as well have used 'host/cerastes.umrk.nl@UMRK.NL'
* But, /etc/krb5.keytab also contains key entries for:
nfs/cerastes.umrk.nl@UMRK.NL
After running only a few tests, I noticed that despite how /etc/exports
and the /nfs directory look, I could only write to /nfs/data2 and data4.
That's apparently because these were mounted separately with the 'bind'
option, while /nfs/data, data3 and data5 are either specified in /etc/
exports as 'ro' and/or are actual subdirectories of /nsf. Furthermore,
even though it's also bind-mounted, as root I could not write to /nfs/
data6 because of the 'root_squash' option, so under the right
circumstances that mechanism still works as well.
Oh, and after I've logged into the client myself and written something to
the server, my client automatically obtains a few extra service tickets:
jwinius@daboia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: jwinius@UMRK.NL
Valid starting Expires Service principal
04/06/2014 03:49 05/06/2014 03:49 krbtgt/UMRK.NL@UMRK.NL
04/06/2014 03:50 05/06/2014 03:49 nfs/cerastes.umrk.nl@
04/06/2014 03:50 05/06/2014 03:49 nfs/cerastes.umrk.nl@UMRK.NL
That's seems normal to me. However, I don't see these service tickets
being obtained after I've written stuff as the root user to one of the
exports on the server. Any idea why?
Anyway In principle it looks like I'm now ready to migrate to NFSv4. :-)
Thanks, Matt!
Cheers,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
