Greetings List,
I have been successfully using a non-root user on a Linux client to mount (with an appropriate fstab entry) NFSv4 using Kerberos for about a year now, but it only works if I do the following:
* run `rpc.gssd -n` as root
* run `kinit mynonrootuser@REALM` as root (from a login shell, not su/sudo)
* also run `kinit` as mynonrootuser (expected).
This "works", for some definition of the term, but I consider it to be limping along. Since NFS needs two tickets to authenticate, the main failure mode is root's ticket (for the non-root principal) predictably doesn't get renewed when the Kerberos infrastructure renews the ordinary ticket, seizing up any affected mounts. It’s a marginally-tolerable configuration for a personal laptop but altogether inappropriate for much else.
I tracked the problem last year down to a mismatched uid in the pipefs protocol (see thread <https://marc.info/?l=linux-nfs&m=164029845630159&w=2>). It seems like a simple enough bug to fix but as I mentioned in the previous thread, if I knew where it was happening I'd have sent a patch by now. I am curious if there has been any attempt to fix this in the last year.
Regards,
--
Dorian Taylor
Make things. Make sense.
https://doriantaylor.com