kerberos & cron - specifically nfsv4 w/sec=krb5p

Matt Garman matthew.garman at gmail.com
Fri Sep 14 13:58:38 EDT 2012


On Tue, Sep 11, 2012 at 9:21 PM, Booker Bense <bbense at gmail.com> wrote:
> On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery <rra at stanford.edu> wrote:
>
>> Either NFS doesn't understand matt/cron as a user, or the local daemon
>> that handles user credentials can't find the tickets.  I believe you do
>> have to be careful about how you name the ticket cache for NFS to pick it
>> up.
>>

> [1]- If this can be done on the client side, then it pretty much
> entirely defeats much of
> the security model of NFSv4. If you do it on the server side you need
> a many to one
> mapping, I don't know enough about idmapd.conf to know if that's
> practical or not.

Can you elaborate a bit on why, if done on the client side, it defeats
the NFSv4 security model?  (Honest question, no doubting your
statement.)

How would using idmapd on the client side as you suggest be
similar/different from Russ's earlier suggestion of exporting the
user's key in kadmin.local with -norandkey?

> You might better off creating entirely new uid's and twiddling permissions and
> acl's.

That would cause a ripple effect that would frustrate a lot of people.
 :)  Lots of infrastructure has been built around the "virtually no
security" model of NFSv3.

Thanks again,
Matt


More information about the Kerberos mailing list