Correct way to provide access to kerberised NFS services to daemon/system users ?
Laura Smith
n5d9xq3ti233xiyif2vp at protonmail.ch
Fri Aug 2 18:24:58 EDT 2019
I have a NFS share which I am mounting on as follows in the fstab:
foo.example.com:/srv/share/foo /mnt/foo nfs4 defaults,sec=krb5p,noexec,nosuid,_netdev,auto 0 0
On the server, exports reads as follows:
/srv/share/backups/foo foo.example.com(rw,sync,sec=krb5p,all_squash,subtree_check,anonuid=473,anongid=474)
The NFS share mounts perfectly on the client.
Root can read/write/delete from the share perfectly.
But a "standard" user can't do anything, e.g.
/mnt$ ls
ls: cannot access 'foo': Permission denied
The purpose of this share is to, for example, allow system services running as lesser users to save files. Therefore non-root access is key.
So what is the correct way to allow system/daemon service users to get a kerberos ticket to gain access to the NFS share (which I assume is the underlying problem here ?)
Obviously a daemon cannot be expected to do a normal kerberos login.
Or are there better ways to mount a NFS share at system level for all users to acccess ?
I'm guessing more than one person here has come across the problem.
More information about the Kerberos
mailing list