username/cron principals and cron

Rainer Krienke krienke at uni-koblenz.de
Wed May 6 04:10:48 EDT 2015 

Hello to everyone,

thank you Rank and thank you Robert for your answers. I tried to find
out more. Beeing root on a NFS4 client I ran the following commands with
different results. Before I tried this I commented out my auth_to_local
rules from /etc/krb5.conf:


# su username -c "/usr/bin/kinit username/cron at MYREALM; touch
/home/username/xx"
Password for username/cron at MYREALM: ******
touch: cannot touch `/home/username/xx': Permission denied

and after a reboot of the NFS client and after kdestroying all the
/tmp/krb5_* caches I ran this:

# su username -c "/usr/bin/kinit username at MYREALM; touch /home/username/xx"
Password for username at MYREALM: ******
# <success: no error message>

So using principal username/cron at MYREALM does not permit the unix user
username to write to NFS while principal username at MYREALM does.

Behind the scene there is an ldap server that NFS client and server are
configured to use in order to find out eg the uid of user "username" for
id mapping. Running a getent passwd username returns on both sides the
same entry with the same unix uid and gid.

So the question for me is, should a principal "username/cron" be
automaticall be mapped to a local unix user "username" so that
"username" is then allowd to access a NFS4 mounted directory that
belongs to "username". This is what does not work for me at the moment.

Does anyone have such a setup thats working? Is perhaps some kind of
flag needed for the kerberos cron-principal to make it work?
If I try to play around with auth_to_local rules, that to my
understading are thought for this purpose, where do I have to defined
them? On the NFS client, the NFS Server or the Kerberos Server or on all
of them?

Thanks a lot
Rainer

Am 05.05.2015 um 16:43 schrieb Frank Cusack:
> I'm surprised you need a mapping at all.  The default mapping should
> simply strip any instance component.  What happens if you kinit
> "manually" with username/cron using a password?
> 
> On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krienke at uni-koblenz.de
> <mailto:krienke at uni-koblenz.de>> wrote:
> 
>     Hello,
> 
>     I am setting up a kerberos/NFS4 environment. Basically everything seems
>     to work. Every user has of course a princiapl username at MYREALM, where
>     username is the unix user name. The users homes are on a kerberos/NFS4
>     mounted directory.
> 

-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150506/c815712e/attachment.bin

More information about the Kerberos mailing list