NFSv4 and root access [SOLUTION]

Tue Jun 3 22:17:26 EDT 2014

On Fri, 30 May 2014 10:57:45 -0500, Matt Garman wrote:

> Then under the [Static] section of idmapd.conf (on the nfsv4 server), I
> have:
> matt/cron at REALM = matt
> 
> *** Note that you also need "static" listed as one of your GSS-Methods
> under the [Translation] section of idmapd.conf, i.e.:
> 
> [Translation]
> GSS-Methods = nsswitch,static
> 
> That one confused me for a while when I was setting this up!

Yes, I have a solution! You practically spelled it out for me, Matt. 
Consequently, after just a little more perseverance I hit upon a 
configuration that worked for me. In case you're interested (comments 
welcome)...

** On the client (hostname: daboia.umrk.nl)

* In /etc/fstab:

cerastes.umrk.nl:/ /nfs nfs4 
sec=krb5i,rw,_netdev,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0

* In /etc/idmapd.conf:

[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = umrk.nl
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

* The name of the host principal used is:

host/daboia.umrk.nl at UMRK.NL

** On the server (hostname: cerastes.umrk.nl)

* In /etc/fstab:

/data2 /nfs/data2 none bind 0 0
/data4 /nfs/data4 none bind 0 0

* Exported directory structure:

root at cerastes:~# ll /nfs
total 32K
drwxr-xr-x  7 root    root    4.0K Jun  4 02:40 ./
drwxr-xr-x 25 root    root    4.0K Jun  4 02:39 ../
drwxr-xr-x  2 root    root    4.0K Apr  6 11:17 data/
drwxr-xr-x  2 jwinius jwinius 4.0K Jun  4 02:38 data2/
drwxr-xr-x  2 jwinius jwinius 4.0K May 24 16:42 data3/
drwxr-xr-x  2 jwinius jwinius 4.0K Jun  4 02:57 data4/
drwxr-xr-x  2 jwinius jwinius 4.0K Jun  4 02:39 data5/
drwxr-xr-x  2 root    root    4.0K Jun  4 03:26 data6/

* In /etc/exports:

/nfs       gss/krb5i(ro,no_root_squash,no_subtree_check,crossmnt,fsid=0)
/nfs/data  gss/krb5i(ro,no_root_squash,no_subtree_check)
/nfs/data2 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data3 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data4 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data5 gss/krb5i(rw,no_root_squash,no_subtree_check)
/nfs/data6 gss/krb5i(rw,root_squash,no_subtree_check)

* In /etc/idmapd.conf:

[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = umrk.nl
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Static]
host/daboia.umrk.nl at UMRK.NL = root
[Translation]
GSS-Methods = nsswitch,static

* The name of the host principal used is:

root/cerastes.umrk.nl at UMRK.NL

Note: I could just as well have used 'host/cerastes.umrk.nl at UMRK.NL'

* But, /etc/krb5.keytab also contains key entries for:

nfs/cerastes.umrk.nl at UMRK.NL

After running only a few tests, I noticed that despite how /etc/exports 
and the /nfs directory look, I could only write to /nfs/data2 and data4. 
That's apparently because these were mounted separately with the 'bind' 
option, while /nfs/data, data3 and data5 are either specified in /etc/
exports as 'ro' and/or are actual subdirectories of /nsf. Furthermore, 
even though it's also bind-mounted, as root I could not write to /nfs/
data6 because of the 'root_squash' option, so under the right 
circumstances that mechanism still works as well.

Oh, and after I've logged into the client myself and written something to 
the server, my client automatically obtains a few extra service tickets:

jwinius at daboia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: jwinius at UMRK.NL

Valid starting    Expires           Service principal
04/06/2014 03:49  05/06/2014 03:49  krbtgt/UMRK.NL at UMRK.NL
04/06/2014 03:50  05/06/2014 03:49  nfs/cerastes.umrk.nl@
04/06/2014 03:50  05/06/2014 03:49  nfs/cerastes.umrk.nl at UMRK.NL

That's seems normal to me. However, I don't see these service tickets 
being obtained after I've written stuff as the root user to one of the 
exports on the server. Any idea why?

Anyway In principle it looks like I'm now ready to migrate to NFSv4. :-)

Thanks, Matt!

Cheers,

Jaap