Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from filter.openoffice.nl ([217.170.2.175]:54942 "EHLO
	filter.openoffice.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756378Ab0KRPH0 (ORCPT
	<rfc822;linux-nfs@vger.kernel.org>); Thu, 18 Nov 2010 10:07:26 -0500
Message-ID: <4CE54128.2070602@blub.net>
Date: Thu, 18 Nov 2010 16:07:20 +0100
From: Valentijn Sessink <valentyn@blub.net>
To: Kevin Coffman <kwc@citi.umich.edu>
CC: linux-nfs@vger.kernel.org
Subject: Re: no_root_squash (and valid KRB root-ticket)
References: <4CE294DD.6010508@blub.net>	<4CE3B3B9.8040208@openoffice.nl>	<AANLkTi=Vhz+BSeGtYOUavf9Lq0ms2hLjTUyuvGt0gMxj@mail.gmail.com>	<4CE4F910.4080601@blub.net> <AANLkTiktXSPbVJg40-bmum39RNekn8aggnWUSPCYdRb9@mail.gmail.com>
In-Reply-To: <AANLkTiktXSPbVJg40-bmum39RNekn8aggnWUSPCYdRb9@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>
MIME-Version: 1.0

Hi Kevin,

Kevin Coffman schreef:
>>> On your server, you can map "host/client.machine@REALM" to root.  (Or
>>> "nfs/client.machine@REALM" or "root/client.machine@REALM", depending
>>> on what key you have on the client.)
>> As far as I can see, that would mean that anyone
>> with root rights on the client (thus being able to read the machine
>> keys) would have root rights on the server share, wouldn't it?
> Isn't that the equivalent of no_root_squash?  (root on the client ==
> root on the server)

It used to be, when local UID = server UID was the fine way of
authenticating - but with KRB authentication, the idea is that you
authenticate to the server.

To summarize: when your UID=0 on the client, you cannot be root at the
server, because UID=0 is handled differently by gssd. If you have any
other UID, you can map this to UID=0 on the server - either by using
"kinit root" at the client, or by setting up a specific mapping for
libnfsidmap.

Thanks for you help.

Best regards,

Valentijn