nfsv4 sec=krb5p and user impersonation
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Thu Sep 11 15:47:38 EDT 2014
> However, I'd still like to understand the underlying mechanics to explain my
> original scenarios and why I can't reproduce your example above.
The following suggests that spoofing a user as root may require running rpc.gssd with -n...I think I'd suggest su-ing to the user account because getting it to work from root may be complicated.
from "http://linux.die.net/man/8/rpc.gssd":
By default, rpc.gssd treats accesses by the user with UID 0 specially, and uses "machine credentials" for all accesses by that user which require Kerberos authentication. With the -n option, "machine credentials" will not be used for accesses by UID 0. Instead, credentials must be obtained manually like all other users. Use of this option means that "root" must manually obtain Kerberos credentials before attempting to mount an nfs filesystem requiring Kerberos authentication.
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
More information about the Kerberos
mailing list