3

Alright, I am close to giving up on this but here is to one more attempt. I have more questions than answers and any help would be greatly appreciated.

The operating system on the server is Debian Stretch, on the client it is Debian Sid. I have a NFSv4 with Kerberos server (both servers are on the same physical machine) which exports /home/User1. The /etc/exports is

/home/User1 gss/krb5(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash)

I have idmap enabled in /etc/default/nfs-common and the idmapd.conf is

[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = MyDomain

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

Now, the client has a User2 that is the same individual as User1. However, the strings that are User1 and User2 have to be different for certain reasons. The idmapd.conf file on the client is exactly the same. When I mount Server:/home/User1 from client as root, the Kerberos server issues a service ticket based on machine authentication (/tmp/krb5ccmachine) and I am able to mount /home/User1. However, as you might have already guessed, the ownership of the mounted directory is all messed up. For one, the no_root_squash option is completely ignored, so even root on the client cannot write to the mounted directory. User2 cannot even cd into it.

Now, from what I understand, the NFS server doesn't know that root on the client is root (why? shouldn't root@MyDomain translate to root on the server?) From what I gathered from similar questions on this site, the following changes to the server's idmapd.conf fix this issue:

[Translate]
GSS-Methods = static

[Static]
nfs/client@MYREALM = root #principal used to authenticate client

Annoyingly, the root now has full privileges to the mounted directory even after reverting the changes to idmapd.conf and restarting the nfs server. Where is this persistence coming from?

To my main questions: how can I mount /home/User1 so that User2 is the owner of the mounted directory, and so that any files created by User2 will appear as owned by User1 on the server? In NFSv3 it seems this was straightforward since ownership was determined by uid:gid. Is this even possible with NFSv4?

Ivan
  • 173
  • 5
  • Are you using SSSD at all? – dawud Dec 28 '16 at 11:11
  • 1
    No, I am not. I'd like to limit the amount of additional services I need to run to make the above work. – Ivan Dec 29 '16 at 05:39
  • First of all, you still can mount nfs4 with auth_sys. Second, are you sure that idmap is called? Run **idmapd -f -vvv** to see the mapping. Did you mount with krb (mount -o sec=krb5) ? – kofemann Dec 29 '16 at 22:04
  • 1
    Yes, I am mapping with `mount -o sec=krb5`. I'd like to user Kerberos to authenticate, so the `auth_sys` is not an option for me. `idmapd` is indeed running, but I get on the client side `nss_getpwnam: name 'User1@MyDomain' domain 'MyDomain' : resulting localname 'User1'` followed by `nss_getpwnam: name 'User1' not found in domain 'MyDomain'`. On the server side I have solved the problem by statically mapping `User2` and `root` to local users in `idmapd.conf`. But I don't have a way of doing it on the client side. – Ivan Dec 30 '16 at 19:20
  • On the server side, I can authenticate client's root and User2 to the NFS server using Kerberos. By adding the appropriate static entries in the `idmapd.conf` on the server, everything works fine on the server, i.e. if User2 creates a file on the share it shows up as owned by User1 on the server. However, I cannot repeat this on the client side. – Ivan Dec 30 '16 at 19:28
  • Thanks for the `idmapd.conf` example. This resolved my problem with mapping which was the same as yours. On the whole internet, there's no single page with examples of how to configure static mapping using Kerberos. Even in the manual, there's no info about it should be configured on the server or client or maybe on both. – QkiZ Dec 10 '21 at 08:00

0 Answers0