Give linux service user access to Kerberos NFS share

Question

I am running a NFSv4 server and a client on two raspbian buster distributions. I use Kerberos to secure the NFS share.

On the NFS client, I run the gitea service with git user, which is started on boot. I would like to store the git repositories on the NFS share, so the git user will need to access it.

When I login to git user and execute kinit I can access the share without issue.

Is there a way that the gitea service automatically ask a Kerberos ticket and renew it so the service can access the NFS share without my intervention ?

I did some research, I have some ideas in mind but not sure what's the best way to achieve it.

• I could run a cron that regularly run a kinit.
• This thread talks about SSSD (which I didn't know about)
• I could manually do an initial kinit and set a very long ticket lifetime but it is not a good practice in a security point of view.

(I am new to Kerberos and NFS so they may be poorly configured but it works)

Thanks !

Answer 1

The answer "client keytab" goes into the right direction. But I couldn't make this work on its own. But with gssproxy it works like a charm. See https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md for details.

Answer 2

You have basically two alternatives:

• running everything as root, since root uses the machine credentials,
• create a client keytab for your user.

In order to use the second solution you have to locate the default location for client keytabs:

piotr@bialykiel:~$ krb5-config --defcktname
FILE:/etc/krb5/user/%{euid}/client.keytab

and create the keytab using kadmin:

ktadd -k /etc/krb5/user/1234/client.keytab yourprincipal@YOUR.DOMAIN.ORG

Whenever a GSS-API application such as rpc.gssd will not be able to access your credential cache, it will create a new one using the keytab.