write permissions on Kerberos secured NFS share

Sun, 28 Jun 2015 10:52:18 -0700 

Hi,

I'm struggling with getting the permissions on an NFS share right.
Mounting the NFS share on my client works. Read/write access as user
'root' works, and read access as user 'mail' works as well after I
successfully authenticated at the Kerberos server as that user 'mail'.
Kerberos server and NFS server are the same machines.

Only write-access to the NFS share as user 'mail' doesn't work. The
share directory is owned by 'mail:mail' both on the server and on the
client. UID and GID are the same (8) for 'mail' on server an client.

What am I missing here?

svr# cat /etc/exports
/export                 XXX.XX.XX.XXX(sec=krb5i,rw,sync, \
                        no_subtree_check,no_root_squash,fsid=0)
/export/vmail           XXX.XX.XX.XXX(sec=krb5i,rw,sync, \
                        no_subtree_check,no_root_squash)
svr# showmounts --exports
/export/vmail       XXX.XX.XX.XXX
/export             XXX.XX.XX.XXX
svr# ls -ald /export/vmail
drwxr-xr-x 3 mail mail 4096 Jun 28 12:58 /export/vmail

clt# grep vmail /etc/fstab
nfs-server:/vmail /var/vmail            nfs4    sec=krb5i 0     0
clt# mount | grep vmail
nfs-server:/vmail on /var/vmail type nfs4 (rw,relatime,vers=4.0, \
        rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0, \
        timeo=600,retrans=2,sec=krb5i,clientaddr=XXX.XX.XX.XXX, \
        local_lock=none,addr=XXX.XX.XX.XXX)
clt# ls -ald /var/vmail
drwxrwsr-x 2 mail mail 4096 Oct 17  2014 /var/mail

root@clt# echo test >/var/vmail/test.txt
root@clt# cat /var/vmail/test.txt
test
root@clt# su -s /bin/sh -c "cat /var/vmail/test.txt" mail
test
root@clt# su -s /bin/sh -c "touch /var/vmail/test" mail
touch: cannot touch ‘/var/vmail/test’: Permission denied

The Kerberos ticket for local user 'mail' is managed by k5start:

clt# ps -ef |grep k5start | grep mail
root   8965  1  0 16:04 ?     00:00:00 /usr/bin/k5start -u \
        mail/nfs-client -o mail -p /var/run/k5start-mail.pid -b \
        -f /etc/krb5.keytab -L -K 30

I don't understand why I don't have write access to the share as client
user 'mail' (authenticated to Kerberos server as 'mail/nfs-client'.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55903409.4080...@freesources.org

Reply via email to