Kerberos+NFS4

Andreas Hauffe andreas.hauffe at tu-dresden.de
Wed Jul 31 04:50:21 EDT 2013


Ok, this is a behaviour I can understand. If the user was logged in and is now 
completely logged out (even with kdestroy) there is no /tmp/krb5cc_<uid>*. But 
the local root can still access the data with a 'su $USERNAME'. Is there some 
kind of cache?

Andreas

Am Mittwoch, 31. Juli 2013, 09:19:44 schrieb moritz.willers at ubs.com:
> As long as there is a valid /tmp/krb5cc_<uid>* credential cache on the host,
> the user can access the files over Secure NFS. No matter if you logged in
> as the user or changed to the using 'su $USERNAME'.
> 
> - mo
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Andreas Hauffe Sent: 31 July 2013 10:01
> To: kerberos at mit.edu
> Subject: Kerberos+NFS4
> 
> Hi,
> 
> I don't know if this is the right place to ask my question, so sorry if now.
> 
> I have installed an Kerberos+LDAP system. The NFS export is done with NFS4.
> At first everthing is fine and a local root of a client is not able to read
> the user data inside the export even after a "su $USERNAME". After this
> user has logged in, the local root is able to read all of the users data
> after a "su $USERNAME" without any password. Even after the logout of the
> user the local root can still access the data. As far as I understood the
> process, there should be no Kerberos ticket available on the client, which
> is applied by the local root. Is this a normal behaviour or a configuration
> problem?
-- 
Viele Grüße
Andreas Hauffe
Leiter der Arbeitsgruppe "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------



More information about the Kerberos mailing list