Kerberized NFS root user access

Frank Cusack frank at linetwo.net
Wed Aug 22 15:45:32 EDT 2012


On Wed, Aug 15, 2012 at 8:10 AM, steve <steve at steve-ss.com> wrote:

> Hi
> openSUSE 12.1
>
> Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
> to be able to write to the share. I can do this with by mounting it with:
> no_root_squash,sec=sys
>
> Is there any way I can do it with:
> sec=krb5
>
> root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
> when the share is mounted krb5, even with the no_root_squash
>

You need a ticket for a user with adequate permissions.  One way, for
example, is to make sure the directory (if you need to create a file) or
file (if you need to modify a file) is writable by a group that the
ticket's principal is part of.  For example, the directory could be
writable by group staff and root could be in group staff.

An easier solution that doesn't require what is likely to be complex group
and mode settings which are changeable by the user, is to simply acquire a
ticket as the user.  If your samba DC is also the KDC this should be rather
trivial.  If not, you just need a way to obtain such a ticket.

Another solution is to export the share with sys security to the DC.


More information about the Kerberos mailing list