2022-10-17 20:56:55

by Dorian Taylor (Lists)

[permalink] [raw]
Subject: non-root user mounting NFSv4 with sec=krb5{,i,p}

Greetings List,

I have been successfully using a non-root user on a Linux client to mount (with an appropriate fstab entry) NFSv4 using Kerberos for about a year now, but it only works if I do the following:

* run `rpc.gssd -n` as root
* run `kinit mynonrootuser@REALM` as root (from a login shell, not su/sudo)
* also run `kinit` as mynonrootuser (expected).

This "works", for some definition of the term, but I consider it to be limping along. Since NFS needs two tickets to authenticate, the main failure mode is root's ticket (for the non-root principal) predictably doesn't get renewed when the Kerberos infrastructure renews the ordinary ticket, seizing up any affected mounts. It’s a marginally-tolerable configuration for a personal laptop but altogether inappropriate for much else.

I tracked the problem last year down to a mismatched uid in the pipefs protocol (see thread <https://marc.info/?l=linux-nfs&m=164029845630159&w=2>). It seems like a simple enough bug to fix but as I mentioned in the previous thread, if I knew where it was happening I'd have sent a patch by now. I am curious if there has been any attempt to fix this in the last year.

Regards,

--
Dorian Taylor
Make things. Make sense.
https://doriantaylor.com


Attachments:
signature.asc (849.00 B)
Message signed with OpenPGP