Kerberos+NFS4

Andreas Hauffe andreas.hauffe at tu-dresden.de
Wed Jul 31 07:15:02 EDT 2013


Do you now if there is a way to clear the cache at least at a logout of the 
user?

Andreas

Am Mittwoch, 31. Juli 2013, 10:24:17 schrieben Sie:
> Yes. The cached context does time out eventually. - mo
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Andreas Hauffe Sent: 31 July 2013 11:05
> To: kerberos at mit.edu
> Subject: Re: Kerberos+NFS4
> 
> Yes, it is a OpenSuSE 12.3 client. So this means, this is a completely
> normal behaviour?
> 
> Andreas
> 
> Am Mittwoch, 31. Juli 2013, 10:01:20 schrieb moritz.willers at ubs.com:
> > I assume this is a Linux client? Yes, the security context established by
> > rpc.gssd is cached. - mo
> > 
> > -----Original Message-----
> > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> > Of Andreas Hauffe Sent: 31 July 2013 10:47
> > To: kerberos at mit.edu
> > Subject: Re: Kerberos+NFS4
> > 
> > Ok, this is a behaviour I can understand. If the user was logged in and is
> > now completely logged out (even with kdestroy) there is no
> > /tmp/krb5cc_<uid>*. But the local root can still access the data with a
> > 'su
> > $USERNAME'. Is there some kind of cache?
> > 
> > Andreas
> > 
> > Am Mittwoch, 31. Juli 2013, 09:19:44 schrieb moritz.willers at ubs.com:
> > > As long as there is a valid /tmp/krb5cc_<uid>* credential cache on the
> > > host, the user can access the files over Secure NFS. No matter if you
> > > logged in as the user or changed to the using 'su $USERNAME'.
> > > 
> > > - mo
> > > 
> > > -----Original Message-----
> > > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> > > Behalf
> > > Of Andreas Hauffe Sent: 31 July 2013 10:01
> > > To: kerberos at mit.edu
> > > Subject: Kerberos+NFS4
> > > 
> > > Hi,
> > > 
> > > I don't know if this is the right place to ask my question, so sorry if
> > > now.
> > > 
> > > I have installed an Kerberos+LDAP system. The NFS export is done with
> > > NFS4.
> > > At first everthing is fine and a local root of a client is not able to
> > > read
> > > the user data inside the export even after a "su $USERNAME". After this
> > > user has logged in, the local root is able to read all of the users data
> > > after a "su $USERNAME" without any password. Even after the logout of
> > > the
> > > user the local root can still access the data. As far as I understood
> > > the
> > > process, there should be no Kerberos ticket available on the client,
> > > which
> > > is applied by the local root. Is this a normal behaviour or a
> > > configuration
> > > problem?
-- 
Viele Grüße
Andreas Hauffe
Leiter der Arbeitsgruppe "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------



More information about the Kerberos mailing list