[38593] in Kerberos
Correct way to provide access to kerberised NFS services to
daemon@ATHENA.MIT.EDU (Laura Smith)
Fri Aug 2 18:25:21 2019
Date: Fri, 02 Aug 2019 22:24:58 +0000
To: "kerberos@mit.edu" <kerberos@mit.edu>
From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Message-ID: <LU-eYlThtPp6at9HaEVmZl3bs_GtudYA6pYrENFhpnFVnUk6wsyT4rbXuTya7gROVmW8-jw4vZBCwQwjTxv5TNu1eMv69ZvHgSa1YGUuu0U=@protonmail.ch>
MIME-Version: 1.0
Reply-To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have a NFS share which I am mounting on as follows in the fstab:
foo.example.com:/srv/share/foo /mnt/foo nfs4 defaults,sec=krb5p,noexec,nosuid,_netdev,auto 0 0
On the server, exports reads as follows:
/srv/share/backups/foo foo.example.com(rw,sync,sec=krb5p,all_squash,subtree_check,anonuid=473,anongid=474)
The NFS share mounts perfectly on the client.
Root can read/write/delete from the share perfectly.
But a "standard" user can't do anything, e.g.
/mnt$ ls
ls: cannot access 'foo': Permission denied
The purpose of this share is to, for example, allow system services running as lesser users to save files. Therefore non-root access is key.
So what is the correct way to allow system/daemon service users to get a kerberos ticket to gain access to the NFS share (which I assume is the underlying problem here ?)
Obviously a daemon cannot be expected to do a normal kerberos login.
Or are there better ways to mount a NFS share at system level for all users to acccess ?
I'm guessing more than one person here has come across the problem.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
