Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access

Reply: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
In reply to: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andreas Kempe <kempe_at_lysator.liu.se>
Date: Sun, 14 Apr 2024 15:26:06 UTC

On Sat, Mar 30, 2024 at 04:01:50PM -0700, Rick Macklem wrote:
> On Sat, Mar 30, 2024 at 2:45 PM Andreas Kempe <kempe@lysator.liu.se> wrote:
> > Did you have a look at the owner field in the open reqest that created
> > the file? To me, it looks very strange. Could it be that the client
> > isn't sending a correct owner in the creation request, causing the
> > server to map it to nobody?
> The only setable attribute specified by the Open request is "mode".
> That just means that the server is expected to create the file with
> an ownership of the Kerberos principal used in the RPC credentials.
> 
> Now, if you are doing the RPC as root, that will result in nobody (or
> a failure to create the file, depending upon directory permissions).
> There is no way to know what user principal is represented by the
> RPCSEC_GSS credentials, since they are a shorthand for the
> Kerberos credentials presented in a Null RPC that happens
> when there is no credential.
> 
> When creating a file, the user creating the file will need to have
> a valid TGT in the client's credential cache.
> 
> And the user principal name (without @REALM) must be a name
> in the passwd database.
> 

After having let this brew in the back of my mind for a while, I
realised what the issue was thanks to you explaining the use of the
principal to figure out the user.

For our usecase, I wanted to only authenticate the machine because
users have cronjobs running in their home directories, users want to
access each other's files and log in using SSH keys. I was mounting
using

	-o nfsv4,sec=krb5p,allgssname,gssname=host

thinking that allgssname would allow users to use the machine's
principal and that ownership information would be sent along with the
requests. From what you wrote, Rick, I gather that this causes all
users to be mapped to nobody because the machine's principal is used.

Removing allgssname and doing a kinit has things working as expected
when I mount using

	-o nfsv4,sec=krb5p,gssname=host

and makes me own files I create.

Am I correct in thinking that Kerberos isn't really designed to be
used for only authenticating the machine? Users having to always have
their own valid Kerberos ticket doesn't really work for us.

Best regards,
Andreas Kempe