On Wed, Nov 17, 2010 at 5:51 AM, Valentijn Sessink <v.sessink@xxxxxxxxxxxxx> wrote: > Valentijn Sessink schreef: >> http://www.unix-info.org/nfsV4_howto_.txt that says that there is "no >> proper mapping between root and the GSSAuthName"; > > The gssd man page says: > > ``By default, rpc.gssd treats accesses by the user with UID 0 specially, > and uses "machine credentials" for all accesses by that > user which require Kerberos authentication. With the -n option, > "machine credentials" will not be used for accesses by UID 0. > Instead, credentials must be obtained manually like all other users. > Use of this option means that "root" must manually obtain > Kerberos credentials before attempting to mount an nfs filesystem > requiring Kerberos authentication.'' > > That - sort of - answers the question: I'm being held for a machine. > > A bit odd is, that I can be root on the share by using root's > credentials from within another UID (because technically, your Kerberos > login is just a way to map your local user ID to the server's user ID): > > root@host32:~# su - adam > No directory, logging in with HOME=/ > adam@host32:/$ kinit root > root@xxxxxxxxxxxxxxx's Password: > adam@host32:/$ cd /home/ > adam@host32:/home$ touch file > adam@host32:/home$ ls -al file > -rw-rw-r-- 1 root root 0 2010-11-17 11:28 file > > On the server, "file" is also owned by root:root. So you can be root, > but not as root. (And if "adam" logs in to host32 shortly after our > excercise, he will be pleasantly surprised to see that he owns > everything on /home - although this will turn out to be a sort of King > Midas' touch, because on next login, the cached UID mapping will long be > forgotten and he won't be able to access all those documents owned by > root...) > > Final question: having seen the gssd page, I don't think there's a way > for "root" on the local machine to have root rights on the server, or is > there? (Having to get manual kerberos credentials to mount /home, with > the "-n" switch, is not an option). Did you see my message about "static" mapping for libnfsidmap? On your server, you can map "host/client.machine@REALM" to root. (Or "nfs/client.machine@REALM" or "root/client.machine@REALM", depending on what key you have on the client.) K.C. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
