On Thu, Nov 18, 2010 at 10:27:02AM -0500, Kevin Coffman wrote: > On Thu, Nov 18, 2010 at 10:07 AM, Valentijn Sessink <valentyn@xxxxxxxx> wrote: > > Hi Kevin, > > > > Kevin Coffman schreef: > >>>> On your server, you can map "host/client.machine@REALM" to root. Â(Or > >>>> "nfs/client.machine@REALM" or "root/client.machine@REALM", depending > >>>> on what key you have on the client.) > >>> As far as I can see, that would mean that anyone > >>> with root rights on the client (thus being able to read the machine > >>> keys) would have root rights on the server share, wouldn't it? > >> Isn't that the equivalent of no_root_squash? Â(root on the client == > >> root on the server) > > > > It used to be, when local UID = server UID was the fine way of > > authenticating - but with KRB authentication, the idea is that you > > authenticate to the server. > > > > To summarize: when your UID=0 on the client, you cannot be root at the > > server, because UID=0 is handled differently by gssd. > > Actually, in the case of UID=0, the client's machine credentials are > used. You can map that Kerberos principal to root on the server. So > this _is_ possible. Also, the kernel and the gssd upcall should distinguish between "machine" and "root" now. I don't know if gssd's using that information. --b. > > > If you have any > > other UID, you can map this to UID=0 on the server - either by using > > "kinit root" at the client, or by setting up a specific mapping for > > libnfsidmap. > > Creating a "root" Kerberos principal is discouraged. (You might, > however, have a "root/<fqdn>" principal -- that you could use for > machine credentials.) > > K.C. > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
