NFS4 and GSSAPI

[Kevin Coffman]

On 8/27/07, Lukas Hejtmanek <xhejtman at ics.muni.cz> wrote:
> Hello,
>
> I have some difficulties when trying GSS and NFSv4.
>
> I have server with ldap and nfsv4 server.
>
> On my server, I tested my ldap configuration with libtest util:
> ./libtest xhejtman at META xhejtman at META
> nfs4_gss_princ_to_ids: princ xhejtman at META has uid 20000 gid 20000
> nfs4_name_to_uid: name xhejtman at META has uid 20000
> nfs4_name_to_gid: name xhejtman at META has gid 20000
> nfs4_uid_to_name: uid 20000 has name xhejtman at META
> nfs4_gid_to_name: gid 20000 has name xhejtman at META
>
> (the same works on the client)
>
> I have the following data in exported directory:
> /opt/exports# ls -l
> total 0
> drwx------ 2 20000 20000 6 2007-08-21 16:38 dir
> drwxr-xr-x 2 root  root  6 2007-08-21 16:40 dir1
> -rw-r--r-- 1 20000 20000 0 2007-08-21 16:38 file
> -rw-r--r-- 1 root  root  0 2007-08-21 16:38 file1
>
> This is how the /etc/exports looks like:
> /opt/exports    gss/krb5(rw,fsid=0,no_subtree_check)
> /opt/exports    gss/krb5i(rw,fsid=0,no_subtree_check)
> /opt/exports    gss/krb5p(rw,fsid=0,no_subtree_check)
>
> On the client, I mounted nfs directory to /mnt:
> cache04.video.muni.cz:/ on /mnt type nfs4
> (rw,sec=krb5i,addr=147.251.11.143,addr=147.251.11.143)
>
> I have KRB5 tickets (still valid):
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: xhejtman at META
>
> Valid starting     Expires            Service principal
> 08/21/07 16:40:36  08/22/07 16:40:36  krbtgt/META at META
>        renew until 08/22/07 16:42:35
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> But I'm unable to enter my directory:
> cache03:/mnt# cd dir
> -bash: cd: dir: Permission denied
>
> (entering dir1 works)

You are running as root on the client.  All accesses as root currently
use the machine credentials (nfs/<machine>@REALM), not those in
/tmp/krb5cc_0.  nfs-utils-1.0 has a work-around for this (-n option).