Hi Simo,

Thanx for the quick answer, i will consider the root implications.
However, what about pulse audio not working ?
The logs complain about that one not beeing able to write in home as well.


2014-06-20 18:27 GMT+02:00 Simo Sorce <s...@redhat.com>:
> On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
>> Hello,
>> I'm a bit at loss with my freeipa kerberized nfs4 shares.
>> the nfs4 shares mount fine and users can read and write their files.
>> However pulse audio does not work properly, and some programs fail to start.
>> When logging in with a local account using a local homedrive
>> pulseaudio works, and the programs also work.
>> Also oddjob is not capable of creating a home dir for a new user.
>> root is not allowed to write in the home mount on the client (mkdir
>> test and touch test get a Permission denied)
>> I don't think its selinux, because setenforce 0 on the nfs-server and
>> setenforce 0 on the nfs client did not help.
> Indeed it is not selinux nor anything client related, when you use
> kerberized NFSv4 *all* accesses including root must be authenticated.
> When your "local" root user tries to access the mount point, either it
> cannot authenticate or it uses the system keytab to authenticate, in
> both cases, w/o further configuration on the server these accesses are
> mapped to the nobody user or refused outright.
> If you really want to trust *every* client to have full *root* access on
> your server then you need to make sure the client is using the host
> keytab when acting as root (default unless you pass -n to rpc.gssd) then
> you need to map explicitly the client's hosts keys to the root account
> on the server.
> add:
>  host/client.host.name@YOUR.REALM = root
> in the [static] section of idmapd.conf
> See idmapd.conf(5) for details.
>> freeipa policies seem to be working fine, sudo rules are applied the
>> way I expect them.
>> Logging in on all the machines works, automounting works like a charm,
>> except for the situations described above.
>> server details are below
>> Anybody who can tell me what I've missed ?
> What you've missed is simply that clients are not allowed to act as root
> on NFS mounts by default, it's a security issue, because a compromised
> client can then do what it want's with all NFS shared data regardless of
> user permissions.
> HTH,
> Simo.
> --
> Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to