NFSv4 + Kerberos + users
Kevin Coffman
kwc at citi.umich.edu
Tue Jun 5 12:15:26 EDT 2007
On 6/5/07, zoltan.menyhart at libertysurf.fr
<zoltan.menyhart at libertysurf.fr> wrote:
> Hi,
>
> I've set up NFSv4 + Kerberos according to the guide on page
> http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
> using nfs-utils-1.0.11 + nfs-utils-1.0.11-CITI_NFS4_ALL-1.dif
> and linux-2.6.19-rc6 + linux-2.6.19-rc6-CITI_NFS4_ALL-1.diff.
> It works.
>
> I'd like to set it up using personalized principals: instead of
> nfs/<machine>.<domain> I'd like to specify <user x>/@<realm>
> or <user x>/<machine>.<domain>@<realm> for mount
> (meaning <user x> can mount a file system on a specific
> machine or on all machines in the realm).
> How can I do it?
> How can I allow at the server side <user x> to mount a file
> system (, and disallow <user y>)?
>
> Where does rpc.svcgssd keep its TGT?
> Apparently, it never expires.
> Is there a way to make it forget its TGT?
>
> Thanks,
>
> Zoltan Menyhart
Hi,
The rpc.gssd code in the recently released nfs-utils-1.1.0 has a new
option (-n) to allow you to use principals other than nfs/<fqdn>@REALM
for the mount. Our web page was updated yesterday to reference that
release. Let me know if you have further questions about that.
I'm not sure whether you really mean rpc.gssd or rpc.svcgssd in your
question about TGT. If you really mean rpc.svcgssd, it does not get a
TGT. It has a keytab that is used to verify requests that it
receives. It does not get a TGT. If you meant rpc.gssd, then it
keeps its TGT (by default) in /tmp/krb5cc_machine_<REALM_NAME>. It is
(by default) automatically refreshed using its keytab for principal
nfs/<fqdn>@REALM. Using the new '-n' option will disable that
behavior. Let me know if you have more specific questions about that.
K.C.
More information about the NFSv4
mailing list