On 12/25/18 5:50 PM, Grant Taylor via cctalk wrote:
Do any fellow cctalk / cctech subscribers have any experience with NFS,
particularly in combination with Kerberos authentication?
After much toil and tribulation, I've managed to get things working.
I'm messing with something that is making me think that Kerberos
authentication (sec=krb5{,i,p}) usurps no_root_squash.
I've found that no_root_squash is still equally as applicable in
Kerberized NFS as it is in non-Kerberized NFS. no_root_squash actually
still does the same thing in Kerberized NFS.
I figured out (by grinding through possible options) that I needed to do
the following:
Add a new principal, root/host.sub.domain.tld, and add it to host's
(system wide) keytab file.
I also needed to configure and enable translations in the
/etc/idmapd.conf file /on/ /the/ /NFS/ /server/.
--8<--
[Static]
root/host.sub.domain.tld = root
[Translation]
GSS-Methods = static,nsswitch
-->8--
Hopefully this will help someone trying to do something similar in the
future.
Now, services running as root (sshd) are able to read files
(authorized_keys) that root doesn’t have permission to read (owned by
user and 0600) on an NFS mount (/home) that is using Kerberos
authentication.
--
Grant. . . .
unix || die
