Kerberos+NFS4

Andreas Hauffe andreas.hauffe at tu-dresden.de
Wed Jul 31 05:05:24 EDT 2013


Yes, it is a OpenSuSE 12.3 client. So this means, this is a completely normal 
behaviour?

Andreas

Am Mittwoch, 31. Juli 2013, 10:01:20 schrieb moritz.willers at ubs.com:
> I assume this is a Linux client? Yes, the security context established by
> rpc.gssd is cached. - mo
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Andreas Hauffe Sent: 31 July 2013 10:47
> To: kerberos at mit.edu
> Subject: Re: Kerberos+NFS4
> 
> Ok, this is a behaviour I can understand. If the user was logged in and is
> now completely logged out (even with kdestroy) there is no
> /tmp/krb5cc_<uid>*. But the local root can still access the data with a 'su
> $USERNAME'. Is there some kind of cache?
> 
> Andreas
> 
> Am Mittwoch, 31. Juli 2013, 09:19:44 schrieb moritz.willers at ubs.com:
> > As long as there is a valid /tmp/krb5cc_<uid>* credential cache on the
> > host, the user can access the files over Secure NFS. No matter if you
> > logged in as the user or changed to the using 'su $USERNAME'.
> > 
> > - mo
> > 
> > -----Original Message-----
> > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> > Of Andreas Hauffe Sent: 31 July 2013 10:01
> > To: kerberos at mit.edu
> > Subject: Kerberos+NFS4
> > 
> > Hi,
> > 
> > I don't know if this is the right place to ask my question, so sorry if
> > now.
> > 
> > I have installed an Kerberos+LDAP system. The NFS export is done with
> > NFS4.
> > At first everthing is fine and a local root of a client is not able to
> > read
> > the user data inside the export even after a "su $USERNAME". After this
> > user has logged in, the local root is able to read all of the users data
> > after a "su $USERNAME" without any password. Even after the logout of the
> > user the local root can still access the data. As far as I understood the
> > process, there should be no Kerberos ticket available on the client, which
> > is applied by the local root. Is this a normal behaviour or a
> > configuration
> > problem?
-- 
Viele Grüße
Andreas Hauffe
Leiter der Arbeitsgruppe "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------



More information about the Kerberos mailing list