I'm trying to install nextcloud on an ArchLinuxARM box and would like to store uploaded data on an NFS server (debian testing). NFS server uses sec=krb5i to export shares.
I have SSSD running and NFS works smoothly for ordinary users.
However, I fail to make this work for user http.
I'm testing with
sudo -u http ls /mount/http-folder
Next, I tried to export http's keys to a keytab, but sudo -u http KRB5_CLIENT_KTNAME=/etc/httpd/conf/krb5.keytab ls /mount/http-folder has same problem.
Update(2 - solved!):
The application needs to be aware of kerberos and honor KRB5_CLIENT_KTNAME.
Or better, when the client keytab is in its default location (as pointed out by Piotr P. Karwasz, that could be identified with krb5-config --defcktname) it will be picked up by rpc.gssd automatically.
[root]> su -l http -s /usr/sbin/bash
[http]> ls /mount/http-folder
ls: cannot open directory '/mount/http-folder': Stale file handle
[http]> krb5-config --defcktname
FILE:/var/lib/krb5/user/%{euid}/client.keytab
[http]> export KRB5_CLIENT_KTNAME=/var/lib/krb5/user/http/client.keytab
[http]> ls /mount/http-folder
ls: cannot access '/mount/http-folder': Permission denied
# note the difference (1)
[http]> $ kinit -t $KRB5_CLIENT_KTNAME http
keytab specified, forcing -k
[http]> ls /mount/http-folder
this_is_www-data
[http]> exit
# solution:
[root]> mv /var/lib/krb5/user/http /var/lib/krb5/user/`id -u http`
[root]> su -l http -s /usr/sbin/bash
[http]> kdestroy # (2)
[http]> ls /mount/http-folder
this_is_www-data
(1) not sure what causes this - according to kerberos docs it should use the first principal it finds in the client keytab file - the client keytab contains only the desired princial, so ... ? As Piotr P. Karwasz correctly points out, %{euid] is the numeric id, not the usename (bummer!), so client keytab is not in default location!
(2) make sure ticket cache is empty
So, problem solved. Thanks, Piotr!
