NFS4 + Kerberos and ownership of mounted share

Question

I have the following setup:

NFS4 server on Debian Buster, Kerberos server on the same machine, no LDAP or AD. The hostname is bohr.digital.

List of principals:

kadmin/admin@DIGITAL
kadmin/bohr.digital@DIGITAL
kadmin/changepw@DIGITAL
kiprop/bohr.digital@DIGITAL
krbtgt/DIGITAL@DIGITAL
nfs/bohr.digital@DIGITAL
nfs/drag0n.digital@DIGITAL
root/admin@DIGITAL

Contents of /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/bohr.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   2 host/bohr.digital@DIGITAL (aes128-cts-hmac-sha1-96) 
   2 nfs/bohr.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   2 nfs/bohr.digital@DIGITAL (aes128-cts-hmac-sha1-96)

NFS server is configured with following options:

/etc/default/nfs-common

NEED_IDMAPD=yes
NEED_GSSD=yes

/etc/default/nfs-kernel-server

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids --debug all --no-nfs-version 3"
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS="-vvv"

Contents of /etc/idmapd.conf

[General]                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                            
Verbosity = 5                                                                                                                                                                                                                               
Pipefs-Directory = /run/rpc_pipefs                                                                                                                                                                                                          
# set your own domain here, if it differs from FQDN minus hostname                                                                                                                                                                          
Domain = digital                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
[Mapping]                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                            
Nobody-User = nobody                                                                                                                                                                                                                        
Nobody-Group = nogroup

Contents of /etc/exports

/export/QkiZMonsteR 192.168.12.0/24(fsid=2271b4c3-772c-4c6e-977c-6f50e328358e,rw,subtree_check,insecure,sec=krb5:krb5i:krb5p)
/export 192.168.12.0/24(ro,fsid=0,root_squash,no_subtree_check,hide,sec=krb5:krb5i:krb5p)

Here is the config of the NFS client named drag0n.digital.

Contents of /etc/krb5.keytab

KVNO Principal
---- --------------------------------------------------------------------------
   4 nfs/drag0n.digital@DIGITAL (aes256-cts-hmac-sha1-96) 
   4 nfs/drag0n.digital@DIGITAL (aes128-cts-hmac-sha1-96)

/etc/idmapd.conf is the same as on the NFS server.

NFS share mounts without problems but ownership of files are mapped to nobody. This is how mount point looks:

drwxrwsr-x   1 nobody    users      492 Dec  5 00:20 nfs/

and contents of mount point:

drwxr-xr-x 1 nobody    4294967294      246 Dec  6 00:22  BACKUP/
-rw------- 1 nobody    4294967294   381646 Feb  8  2017  Bookmarks
drwxrws--- 1 nobody    users           590 Dec  2 22:28  Dokumenty/
-rw------- 1 nobody    4294967294   245760 Aug 18  2020  qkiz.xdb
drwxrwxr-x 1 nobody    4294967294       52 Oct 15 00:13  VMware/

What do I need to change to authenticate as a specific user on the NFS server?

do you have the same user base on both hosts? – kofemann Jan 04 '22 at 13:32 — kofemann, Jan 04 '22 at 13:32

NFS4 + Kerberos and ownership of mounted share

0 Answers0