[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos on diskless clients

Den 07. juli 2010 00:43, skrev Veli-Matti Lintu:
> ti, 2010-06-15 kello 13:44 +0200, John S. Skogtvedt kirjoitti:
>> Den 15. juni 2010 12:51, skrev Jonas Smedegaard:
>>> On Tue, Jun 15, 2010 at 12:02:57PM +0200, John S. Skogtvedt wrote:
>>>>
>>>> With /skole/tjener/home0, the problem is that the machine itself needs a
>>>> "$hostname/nfs" principal with corresponding secret key. It's not enough
>>>> that the user can authenticate to Kerberos.
>>>
>>> Oh. I was unaware that the machine needed a separate key for NFS. 
>>> Problem, yes!
>>>
>>> What exactly do a $host/nfs key grant access to? The whole partition,
>>> encrypted by user keys, or the whole partition, unencrypted?
>>>
>>
>> I'm not a Kerberos/NFSv4 expert, but AFAIK it's a ticket-granting ticket
>> (TGT) which firstly gives the machine read-only access to the entire
>> exported filesystem, and secondly allows the machine to grant a RW
>> ticket to the user. Kerberos is used to authenticate writes, and
>> optionally for encryption as well.
>>
>>> Would AFS perhaps provide a key structure better suited for this?  My
>>> question here is _only_ about the key structure - AFS might have other
>>> limitations making it unsuitable, but the act of comparing key handling
>>> might help understand possible/sane approaches.
>>>
>>> Ideally we would use a filesystem requiring only user key to
>>> authenticate.  Hmm - would it perhaps be possible (while still secure)
>>> to create and permiy a $user/nfs keypair acting as host key for
>>> .../home* mount points?
> 
> Hi,
> 
> I've been dealing with these same issues recently and after testing it
> looks like machine credentials are not needed to get diskless clients
> working with kerberos.
> 
> What I have understood is that with NFSv4 the machine credentials are
> used for the initial mount + root access. For the initial mount
> credentials any credentials are actually ok and if rpc.gssd is run with
> -n option, it uses existing credentials for the mount. When using
> sec=krb5 access to users' home directories on the mounted directory then
> requires valid credentials for the user.
> 
> I haven't really tested the root access part here as I have always used
> root_squash on all the exports.
> 
> Using user's credentials instead of a keytab means of course that the
> mount works only as long as the credentials are valid.
> 
> 
> man rpc.gssd
> 
> -n     By default, rpc.gssd treats accesses by the user with UID 0 spe‐
>        cially,  and uses "machine credentials" for all accesses by that
>        user which require Kerberos authentication.  With the -n option,
>        "machine  credentials"  will  not be used for accesses by UID 0.
>        Instead, credentials must be obtained manually  like  all  other
>        users.   Use  of  this  option  means  that "root" must manually
>        obtain Kerberos credentials before attempting to  mount  an  nfs
>        filesystem requiring Kerberos authentication.
> 
> 
> Veli-Matti
> 
> 

Kiitos, this is very helpful. Which DM/desktop did you test with? gdm
for instance used to (or still does) check as root if the user's
homedirectory existed, which might cause problems.

I will try to test with debian-edu within the next two weeks.

John.
Reply to: