Hi Kevin, Kevin Coffman schreef: >>> On your server, you can map "host/client.machine@REALM" to root. (Or >>> "nfs/client.machine@REALM" or "root/client.machine@REALM", depending >>> on what key you have on the client.) >> As far as I can see, that would mean that anyone >> with root rights on the client (thus being able to read the machine >> keys) would have root rights on the server share, wouldn't it? > Isn't that the equivalent of no_root_squash? (root on the client == > root on the server) It used to be, when local UID = server UID was the fine way of authenticating - but with KRB authentication, the idea is that you authenticate to the server. To summarize: when your UID=0 on the client, you cannot be root at the server, because UID=0 is handled differently by gssd. If you have any other UID, you can map this to UID=0 on the server - either by using "kinit root" at the client, or by setting up a specific mapping for libnfsidmap. Thanks for you help. Best regards, Valentijn -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
