On Thu, Nov 18, 2010 at 10:07 AM, Valentijn Sessink <valentyn@xxxxxxxx> wrote: > Hi Kevin, > > Kevin Coffman schreef: >>>> On your server, you can map "host/client.machine@REALM" to root. (Or >>>> "nfs/client.machine@REALM" or "root/client.machine@REALM", depending >>>> on what key you have on the client.) >>> As far as I can see, that would mean that anyone >>> with root rights on the client (thus being able to read the machine >>> keys) would have root rights on the server share, wouldn't it? >> Isn't that the equivalent of no_root_squash? (root on the client == >> root on the server) > > It used to be, when local UID = server UID was the fine way of > authenticating - but with KRB authentication, the idea is that you > authenticate to the server. > > To summarize: when your UID=0 on the client, you cannot be root at the > server, because UID=0 is handled differently by gssd. Actually, in the case of UID=0, the client's machine credentials are used. You can map that Kerberos principal to root on the server. So this _is_ possible. > If you have any > other UID, you can map this to UID=0 on the server - either by using > "kinit root" at the client, or by setting up a specific mapping for > libnfsidmap. Creating a "root" Kerberos principal is discouraged. (You might, however, have a "root/<fqdn>" principal -- that you could use for machine credentials.) K.C. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
