Re: Kerberos on diskless clients
ti, 2010-06-15 kello 13:44 +0200, John S. Skogtvedt kirjoitti:
> Den 15. juni 2010 12:51, skrev Jonas Smedegaard:
> > On Tue, Jun 15, 2010 at 12:02:57PM +0200, John S. Skogtvedt wrote:
> >> With /skole/tjener/home0, the problem is that the machine itself needs a
> >> "$hostname/nfs" principal with corresponding secret key. It's not enough
> >> that the user can authenticate to Kerberos.
> > Oh. I was unaware that the machine needed a separate key for NFS.
> > Problem, yes!
> > What exactly do a $host/nfs key grant access to? The whole partition,
> > encrypted by user keys, or the whole partition, unencrypted?
> I'm not a Kerberos/NFSv4 expert, but AFAIK it's a ticket-granting ticket
> (TGT) which firstly gives the machine read-only access to the entire
> exported filesystem, and secondly allows the machine to grant a RW
> ticket to the user. Kerberos is used to authenticate writes, and
> optionally for encryption as well.
> > Would AFS perhaps provide a key structure better suited for this? My
> > question here is _only_ about the key structure - AFS might have other
> > limitations making it unsuitable, but the act of comparing key handling
> > might help understand possible/sane approaches.
> > Ideally we would use a filesystem requiring only user key to
> > authenticate. Hmm - would it perhaps be possible (while still secure)
> > to create and permiy a $user/nfs keypair acting as host key for
> > .../home* mount points?
I've been dealing with these same issues recently and after testing it
looks like machine credentials are not needed to get diskless clients
working with kerberos.
What I have understood is that with NFSv4 the machine credentials are
used for the initial mount + root access. For the initial mount
credentials any credentials are actually ok and if rpc.gssd is run with
-n option, it uses existing credentials for the mount. When using
sec=krb5 access to users' home directories on the mounted directory then
requires valid credentials for the user.
I haven't really tested the root access part here as I have always used
root_squash on all the exports.
Using user's credentials instead of a keytab means of course that the
mount works only as long as the credentials are valid.
-n By default, rpc.gssd treats accesses by the user with UID 0 spe‐
cially, and uses "machine credentials" for all accesses by that
user which require Kerberos authentication. With the -n option,
"machine credentials" will not be used for accesses by UID 0.
Instead, credentials must be obtained manually like all other
users. Use of this option means that "root" must manually
obtain Kerberos credentials before attempting to mount an nfs
filesystem requiring Kerberos authentication.