Kerberos+NFS4

moritz.willers@ubs.com moritz.willers at ubs.com
Wed Jul 31 05:01:20 EDT 2013


I assume this is a Linux client? Yes, the security context established by rpc.gssd is cached. - mo

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Andreas Hauffe
Sent: 31 July 2013 10:47
To: kerberos at mit.edu
Subject: Re: Kerberos+NFS4

Ok, this is a behaviour I can understand. If the user was logged in and is now 
completely logged out (even with kdestroy) there is no /tmp/krb5cc_<uid>*. But 
the local root can still access the data with a 'su $USERNAME'. Is there some 
kind of cache?

Andreas

Am Mittwoch, 31. Juli 2013, 09:19:44 schrieb moritz.willers at ubs.com:
> As long as there is a valid /tmp/krb5cc_<uid>* credential cache on the host,
> the user can access the files over Secure NFS. No matter if you logged in
> as the user or changed to the using 'su $USERNAME'.
> 
> - mo
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Andreas Hauffe Sent: 31 July 2013 10:01
> To: kerberos at mit.edu
> Subject: Kerberos+NFS4
> 
> Hi,
> 
> I don't know if this is the right place to ask my question, so sorry if now.
> 
> I have installed an Kerberos+LDAP system. The NFS export is done with NFS4.
> At first everthing is fine and a local root of a client is not able to read
> the user data inside the export even after a "su $USERNAME". After this
> user has logged in, the local root is able to read all of the users data
> after a "su $USERNAME" without any password. Even after the logout of the
> user the local root can still access the data. As far as I understood the
> process, there should be no Kerberos ticket available on the client, which
> is applied by the local root. Is this a normal behaviour or a configuration
> problem?
-- 
Viele Grüße
Andreas Hauffe
Leiter der Arbeitsgruppe "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Visit our website at http://www.ubs.com 

This message contains confidential information and is intended only 
for the individual named. If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. 

E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission. 
If verification is required please request a hard-copy version. This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments. 

UBS Limited is authorised by the Prudential Regulation Authority 
and regulated by the Financial Conduct Authority and the Prudential 
Regulation Authority.

UBS AG is a public company incorporated with limited liability in 
Switzerland domiciled in the Canton of Basel-City and the Canton of 
Zurich respectively registered at the Commercial Registry offices in 
those Cantons with Identification No: CH-270.3.004.646-4 and having 
respective head offices at Aeschenvorstadt 1, 4051 Basel and 
Bahnhofstrasse 45, 8001 Zurich, Switzerland and is authorised and 
regulated by the Financial Market Supervisory Authority in 
Switzerland.  Registered in the United Kingdom as a foreign company 
with No: FC021146 and having a UK Establishment registered at 
Companies House, Cardiff, with No: BR 004507.  The principal office 
of UK Establishment: 1 Finsbury Avenue, London EC2M 2PP.  In the 
United Kingdom, UBS AG is authorised by the Prudential Regulation 
Authority and subject to regulation by the Financial Conduct 
Authority and limited regulation by the Prudential Regulation 
Authority.  Details about the extent of our regulation by the 
Prudential Regulation Authority are available from us on request.

UBS reserves the right to retain all messages. Messages are protected 
and accessed only in legally justified cases. 



More information about the Kerberos mailing list