Root access to kerberized NFSv4 host on Ubuntu
I have a kerberized NFSv4 setup working well under Ubuntu for regular users, but I cannot get it working for root.
For most systems, I do not want to allow root access, but I have a couple servers where root access over NFS to this file server is mandatory.
I know that root on a given client uses the client's machine identity, rather than an ordinary kerberos principal.
What I can't figure out is: how can I equate a given machine identity with root access on the server? This seems possible under AIX and Solaris (with root= in the server's export file), but not linux.
I realize that I can allow "sys" authentication for only the hosts that need it and keep krb5 in place for all the others, but I would like to understand how to do it within the context of a fully kerberized environment.
Thanks,
nrb
P.S. I am using no_root_squash.
Well, here's a solution that works. It's not the only one, but it's the cleanest one in my opinion.
Provide a static mapping in the server's idmapd.conf file which equates the machine credentials of the client with the root account on the server.
You must also tell idmapd to check for static mappings first. The relevant snippet from my server config is:
[Translation]
GSS-Methods = static,nsswitch
[Static]
nfs/[email protected] = root
As a note, the nfs client will go through the /etc/krb5.keytab looking for keys in (at least) the following order:
- root/[email protected]
- nfs/[email protected]
- host/[email protected]
It takes the first one and uses that. This is the name you must use in the Static section of the idmapd.conf file on the server.
nrb