Correct way to provide access to kerberised NFS services to daemon/system users ?

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Fri Aug 2 18:24:58 EDT 2019


I have a NFS share which I am mounting on  as follows in the fstab:

foo.example.com:/srv/share/foo /mnt/foo nfs4 defaults,sec=krb5p,noexec,nosuid,_netdev,auto 0 0


On the server, exports reads as follows:
/srv/share/backups/foo foo.example.com(rw,sync,sec=krb5p,all_squash,subtree_check,anonuid=473,anongid=474)


The NFS share mounts perfectly on the client.
Root can read/write/delete from the share perfectly.

But a "standard" user can't do anything, e.g.


/mnt$ ls
ls: cannot access 'foo': Permission denied


The purpose of this share is to, for example, allow system services running as lesser users to save files. Therefore non-root access is key.

So what is the correct way to allow system/daemon service users to get a kerberos ticket to gain access to the NFS share (which I assume is the underlying problem here ?)

Obviously a daemon cannot be expected to do a normal kerberos login.

Or are there better ways to mount a NFS share at system level for all users to acccess ?

I'm guessing more than one person here has come across the problem.



More information about the Kerberos mailing list