What do I need for root to write?

[Kevin Coffman]

On Feb 16, 2008 9:32 AM, Nathan Patwardhan <noopy.org at gmail.com> wrote:
> Hello,
>
> I'm kind of embarrassed that I'm asking a question that should be
> simple.  I'm just having issues wrapping my head around it.  :-)
>
> Anyhow, what combination of things do I have to do to allow root to
> write a NFSv4/Kerberos volume?  Note that we are using NetApps for
> NFSv4/CIFS, Windows 2k3 KDC, and Linux clients.  I've enabled
> root=ip.of.my.linux.admin.host in /etc/exports on the filer.
> Obviously, this is insufficient for root writes for NFSv4.  I suspect
> that we're missing a root/<hostname>@REALM principal, but I'm not sure
> how this should be reflected in our KDC.
>
>   - Should a root principal be created on the Windows KDC for each of
> the host(s) listed in the root ACL of /etc/exports on the NetApp?
>   - Should a root principal be created on the Windows KDC for the NetApp itself?
>   - If not a root principal on the Windows KDC, should we just add a
> user with an appropriate uid or domain admin rights to AD?
>   - Am I missing something else?  If so, how would you suggest that I
> allow root to write a NFSv4/Kerberos volume?

I'm not sure what the requirements are for the NetApp server.  I can
tell you that unless you are using the "-n" option to rpc.gssd, the
Linux client will be using "machine" credentials to authenticate to
the server.  To obtain these credentials, you need a keytab entry on
the Linux client for one of the following principals:
   root/<f.q.h.n>@REALM
   nfs/<f.q.h.n>@REALM
   host/<f.q.h.n>@REALM

This is all assuming you are using the latest nfs-utils.  Previous
versions may have slightly different behavior, such as insisting on
nfs/<f.q.h.n>@REALM.

The "-n" option to rpc.gssd says that root access will not use
"machine" credentials.  In that case, root must do a kinit as some
Kerberos principal to authenticate to the server.

I hope this is a little helpful,
K.C.