On Fri, 30 May 2014 10:57:45 -0500, Matt Garman wrote: > Then under the [Static] section of idmapd.conf (on the nfsv4 server), I > have: > matt/cron@REALM = matt > > *** Note that you also need "static" listed as one of your GSS-Methods > under the [Translation] section of idmapd.conf, i.e.: > > [Translation] > GSS-Methods = nsswitch,static > > That one confused me for a while when I was setting this up!
Yes, I have a solution! You practically spelled it out for me, Matt. Consequently, after just a little more perseverance I hit upon a configuration that worked for me. In case you're interested (comments welcome)... ** On the client (hostname: daboia.umrk.nl) * In /etc/fstab: cerastes.umrk.nl:/ /nfs nfs4 sec=krb5i,rw,_netdev,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0 * In /etc/idmapd.conf: [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = umrk.nl [Mapping] Nobody-User = nobody Nobody-Group = nogroup * The name of the host principal used is: host/[email protected] ** On the server (hostname: cerastes.umrk.nl) * In /etc/fstab: /data2 /nfs/data2 none bind 0 0 /data4 /nfs/data4 none bind 0 0 * Exported directory structure: root@cerastes:~# ll /nfs total 32K drwxr-xr-x 7 root root 4.0K Jun 4 02:40 ./ drwxr-xr-x 25 root root 4.0K Jun 4 02:39 ../ drwxr-xr-x 2 root root 4.0K Apr 6 11:17 data/ drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:38 data2/ drwxr-xr-x 2 jwinius jwinius 4.0K May 24 16:42 data3/ drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:57 data4/ drwxr-xr-x 2 jwinius jwinius 4.0K Jun 4 02:39 data5/ drwxr-xr-x 2 root root 4.0K Jun 4 03:26 data6/ * In /etc/exports: /nfs gss/krb5i(ro,no_root_squash,no_subtree_check,crossmnt,fsid=0) /nfs/data gss/krb5i(ro,no_root_squash,no_subtree_check) /nfs/data2 gss/krb5i(rw,no_root_squash,no_subtree_check) /nfs/data3 gss/krb5i(rw,no_root_squash,no_subtree_check) /nfs/data4 gss/krb5i(rw,no_root_squash,no_subtree_check) /nfs/data5 gss/krb5i(rw,no_root_squash,no_subtree_check) /nfs/data6 gss/krb5i(rw,root_squash,no_subtree_check) * In /etc/idmapd.conf: [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = umrk.nl [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Static] host/[email protected] = root [Translation] GSS-Methods = nsswitch,static * The name of the host principal used is: root/[email protected] Note: I could just as well have used 'host/[email protected]' * But, /etc/krb5.keytab also contains key entries for: nfs/[email protected] After running only a few tests, I noticed that despite how /etc/exports and the /nfs directory look, I could only write to /nfs/data2 and data4. That's apparently because these were mounted separately with the 'bind' option, while /nfs/data, data3 and data5 are either specified in /etc/ exports as 'ro' and/or are actual subdirectories of /nsf. Furthermore, even though it's also bind-mounted, as root I could not write to /nfs/ data6 because of the 'root_squash' option, so under the right circumstances that mechanism still works as well. Oh, and after I've logged into the client myself and written something to the server, my client automatically obtains a few extra service tickets: jwinius@daboia:~$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: [email protected] Valid starting Expires Service principal 04/06/2014 03:49 05/06/2014 03:49 krbtgt/[email protected] 04/06/2014 03:50 05/06/2014 03:49 nfs/cerastes.umrk.nl@ 04/06/2014 03:50 05/06/2014 03:49 nfs/[email protected] That's seems normal to me. However, I don't see these service tickets being obtained after I've written stuff as the root user to one of the exports on the server. Any idea why? Anyway In principle it looks like I'm now ready to migrate to NFSv4. :-) Thanks, Matt! Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
