-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gssproxy breaks no_root_squash export option with knfsd #66
Comments
Yes, you can map the machine keytab to root in krb5.conf auth_to_local facility. Add somethign like this to the auth_to_local rules in the REALM section under [realms]:
This would map a princiapl of host/[email protected] to the user root. |
See auth_to_local diretive here: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/conf_files/krb5_conf.html#realms |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to test krb5 NFS exports with the "no_root_squash" export option, but it's not working and any request from root on the client ends up getting squashed to nobody. The client defaults to using the machine credentials for the root account (nfs/@realm).
The server kernel upcalls to gssproxy to ACCEPT_SEC_CONTEXT for the client's machine cred. It fails to match that to a local account on the server, and downcalls with the uid and gid set to -1. The kernel then just assumes that the account doesn't exist and maps it to "nobody".
I think for nfsd, we need for machine creds to be reported at uid=0/gid=0 and allow the kernel to decide whether to squash them or not. Is there an option for this already in gssproxy?
The text was updated successfully, but these errors were encountered: