kerberos & cron - specifically nfsv4 w/sec=krb5p

Booker Bense bbense at gmail.com
Tue Sep 11 22:21:46 EDT 2012


On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery <rra at stanford.edu> wrote:

> Either NFS doesn't understand matt/cron as a user, or the local daemon
> that handles user credentials can't find the tickets.  I believe you do
> have to be careful about how you name the ticket cache for NFS to pick it
> up.
>

Look into the documentation for rpc.idmapd ( or just idmapd ). You are going to
have to convince nfs to map user/cron to the user id or vice versa. [1]

The more I think about this the less chance I think it will work in a
reasonable way.

You might better off creating entirely new uid's and twiddling permissions and
acl's.

- Booker C. Bense

[1]- If this can be done on the client side, then it pretty much
entirely defeats much of
the security model of NFSv4. If you do it on the server side you need
a many to one
mapping, I don't know enough about idmapd.conf to know if that's
practical or not.


More information about the Kerberos mailing list