NFSv4 + Kerberos + users

Zoltan Menyhart Zoltan.Menyhart at bull.net
Thu Jun 21 12:07:32 EDT 2007 

Steve Dickson wrote:
> sorry for the delayed response...
> 
> Zoltan Menyhart wrote:
> 
>>
>> What should be added to indicate that 
>> user_i/<machine>.<domain>@<realm> is allowed
>> to mount his/her own partition ?
>> (I do not need an ACL for the files on the file system.)
> 
> the user has to do a kinit [user@<relam>] to access the filesystem...

I think in this case user_i sees the complete export tree.

Unfortunately, it does not always work.

In two xterms, I have done "kinit" as users root and as linux. As root, I do:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at FREC.BULL.FR

Valid starting     Expires            Service principal
06/21/07 17:36:04  06/22/07 17:36:02  krbtgt/FREC.BULL.FR at FREC.BULL.FR
06/21/07 17:37:29  06/22/07 17:36:02  nfs/lucy2_10g.frec.bull.fr at FREC.BULL.FR

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# mount lucy2_10g:/
mount.nfs4: Permission denied

Here is what gssd says:

handling krb5 upcall
getting credentials for client with uid 0 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_500' being considered
'/tmp/krb5cc_500' owned by 500, not 0
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
CC file 'krb5cc_machine_FREC.BULL.FR' matches owner check and has mtime of 1181136512
CC file 'krb5cc_0' being considered
CC file 'krb5cc_0' matches owner check and has mtime of 1182440249
CC file 'krb5cc_0' is our current best match with mtime of 1182440249
using FILE:/tmp/krb5cc_0 as credentials cache for client with uid 0 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_0
creating context using fsuid 0 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 0 for server lucy2_10g.frec.bull.fr
doing error downcall
destroying client clntae

Why does it even consider using /tmp/krb5cc_500?

As the user linux I do a "kdestroy", then mount works.

I do a "kinit" again as the user linux. Then I can access the mounted volume.
Now gssd says:

handling krb5 upcall
getting credentials for client with uid 500 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_500' being considered
CC file 'krb5cc_500' matches owner check and has mtime of 1182440635
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
'/tmp/krb5cc_machine_FREC.BULL.FR' owned by 0, not 500
CC file 'krb5cc_0' being considered
'/tmp/krb5cc_0' owned by 0, not 500
using FILE:/tmp/krb5cc_500 as credentials cache for client with uid 500 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_500
creating context using fsuid 500 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
serialize_krb5_ctx: serializing keys with enctype 4 and length 8
doing downcall

Sometimes happens, too:

# umount /imports/
# mount lucy2_10g:/
# su - linux
$ id
uid=500(linux) gid=500(linux) groups=500(linux)
$ ls -l /imports/sdb6/tmp
ls: /imports/sdb6/tmp: Permission denied
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: linux at FREC.BULL.FR

Valid starting     Expires            Service principal
06/21/07 17:15:54  06/22/07 17:15:52  krbtgt/FREC.BULL.FR at FREC.BULL.FR
06/21/07 17:16:03  06/22/07 17:15:52  nfs/lucy2_10g.frec.bull.fr at FREC.BULL.FR

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Now gssd says:

handling krb5 upcall
getting credentials for client with uid 500 for server lucy2_10g.frec.bull.fr
CC file 'krb5cc_machine_FREC.BULL.FR' being considered
'/tmp/krb5cc_machine_FREC.BULL.FR' owned by 0, not 500
CC file 'krb5cc_0' being considered
'/tmp/krb5cc_0' owned by 0, not 500
using FILE:/tmp/krb5cc_500 as credentials cache for client with uid 500 for server lucy2_10g.frec.bull.fr
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_500
creating context using fsuid 500 (save_uid 0)
creating tcp client for server lucy2_10g.frec.bull.fr
creating context with server nfs at lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 500 for server lucy2_10g.frec.bull.fr
WARNING: Failed to create krb5 context for user with uid 500 for server lucy2_10g.frec.bull.fr
doing error downcall

Who should own '/tmp/krb5cc_machine_FREC.BULL.FR'?
Why does it look at '/tmp/krb5cc_0'?

>> When I do a "mount server:/", like I did above as root, everything is 
>> mounted.
>> How can server:/sdxi be mounted separately?
> 
> I believe adding 'nohide' to the pseudo root export
> (i.e. /export (fsid=0,nohide) ) should do the trick...

I think "nohide" is not a per user option.
Can an export line somehow say that "nohide" for "principals x and y"?

Thanks,

Zoltan

More information about the NFSv4 mailing list