gssproxy breaks no_root_squash export option with knfsd

[jtlayton]

Trying to test krb5 NFS exports with the "no_root_squash" export option, but it's not working and any request from root on the client ends up getting squashed to nobody. The client defaults to using the machine credentials for the root account (nfs/@realm).

The server kernel upcalls to gssproxy to ACCEPT_SEC_CONTEXT for the client's machine cred. It fails to match that to a local account on the server, and downcalls with the uid and gid set to -1. The kernel then just assumes that the account doesn't exist and maps it to "nobody".

I think for nfsd, we need for machine creds to be reported at uid=0/gid=0 and allow the kernel to decide whether to squash them or not. Is there an option for this already in gssproxy?

[simo5]

Yes, you can map the machine keytab to root in krb5.conf auth_to_local facility.

Add somethign like this to the auth_to_local rules in the REALM section under [realms]:

RULE:[2:$1;$2](^host;my.keytab.hostname$)s/^.*$/root/

This would map a princiapl of host/[email protected] to the user root.

[simo5]

See auth_to_local diretive here: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/conf_files/krb5_conf.html#realms