Join Log in
Score:0
QkiZ avatar Server

NFS4 + Kerberos and ownership of mounted share

be flag
QkiZ

I have the following setup:

NFS4 server on Debian Buster, Kerberos server on the same machine, no LDAP or AD. The hostname is bohr.digital.

List of principals:

kadmin/admin@DIGITAL
kadmin/bohr.digital@DIGITAL
kadmin/changepw@DIGITAL
kiprop/bohr.digital@DIGITAL
krbtgt/DIGITAL@DIGITAL
nfs/bohr.digital@DIGITAL
nfs/drag0n.digital@DIGITAL
root/admin@DIGITAL

Contents of /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------------------------------------
   2 host/bohr.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   2 host/bohr.digital@DIGITAL (aes128-cts-hmac-sha1-96) 
   2 nfs/bohr.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   2 nfs/bohr.digital@DIGITAL (aes128-cts-hmac-sha1-96)

NFS server is configured with following options:

/etc/default/nfs-common

NEED_IDMAPD=yes
NEED_GSSD=yes

/etc/default/nfs-kernel-server

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids --debug all --no-nfs-version 3"
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS="-vvv"

Contents of /etc/idmapd.conf

[General]                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                            
Verbosity = 5                                                                                                                                                                                                                               
Pipefs-Directory = /run/rpc_pipefs                                                                                                                                                                                                          
# set your own domain here, if it differs from FQDN minus hostname                                                                                                                                                                          
Domain = digital                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
[Mapping]                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                            
Nobody-User = nobody                                                                                                                                                                                                                        
Nobody-Group = nogroup

Contents of /etc/exports

/export/QkiZMonsteR 192.168.12.0/24(fsid=2271b4c3-772c-4c6e-977c-6f50e328358e,rw,subtree_check,insecure,sec=krb5:krb5i:krb5p)
/export 192.168.12.0/24(ro,fsid=0,root_squash,no_subtree_check,hide,sec=krb5:krb5i:krb5p)

Here is the config of the NFS client named drag0n.digital.

Contents of /etc/krb5.keytab

KVNO Principal
---- ---------------------------------------------
   4 nfs/drag0n.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   4 nfs/drag0n.digital@DIGITAL (aes128-cts-hmac-sha1-96)

/etc/idmapd.conf is the same as on the NFS server.

NFS share mounts without problems but ownership of files are mapped to nobody. This is how mount point looks:

drwxrwsr-x   1 nobody    users      492 Dec  5 00:20 nfs/

and contents of mount point:

drwxr-xr-x 1 nobody    4294967294      246 Dec  6 00:22  BACKUP/
-rw------- 1 nobody    4294967294   381646 Feb  8  2017  Bookmarks
drwxrws--- 1 nobody    users           590 Dec  2 22:28  Dokumenty/
-rw------- 1 nobody    4294967294   245760 Aug 18  2020  qkiz.xdb
drwxrwxr-x 1 nobody    4294967294       52 Oct 15 00:13  VMware/

What do I need to change to authenticate as a specific user on the NFS server?

56
0 + 0
de flag
kofemann
do you have the same user base on both hosts?
0
Reply
QkiZ avatar
be flag
QkiZ
No, users are different
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.