Bug#601550: [nfs-kernel-server] Root is always squashed when using sec=gss/krb5
Package: nfs-kernel-server
Version: 1:1.1.2-6lenny2
Severity: normal
--- Please enter the report below this line. ---
I have a NFSv4 server exports configured as follows:
/export
gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check,async)
/export/users
gss/krb5(rw,nohide,insecure,no_root_squash,no_subtree_check,async)
On the other side I have clients with autofs configration like:
* -fstype=nfs4,rw,soft,intr,bg,nosuid,nodev,sec=krb5,port=2049,proto=tcp
nfs.mydomain.cz:/users/&
Everythink works great for regular users but when root is always squashed even
when I set no_root_squash. I tried a configuration without kerberos and it
worked as expected (I just removed gss/krb5 and sec=krb5 from configurations).
Using kerberos root is always mapped to nobody:nogroup. Output from idmapd:
root@server# rpc.idmapd -c /etc/idmapd.conf -f -vvv
rpc.idmapd: libnfsidmap: using domain: localdomain
rpc.idmapd: libnfsidmap: using translation method: nsswitch
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=user
rpc.idmapd: Server: (user) id "0" -> name "root@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=group
rpc.idmapd: Server: (group) id "0" -> name "root@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=user
rpc.idmapd: Server: (user) id "2000" -> name "ares@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=group
rpc.idmapd: Server: (group) id "2000" -> name "ares@localdomain"
--- System information. ---
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to cs_CZ.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nfs-kernel-server depends on:
ii libblkid1 1.41.3-1 block device id library
ii libc6 2.7-18lenny6 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libgssglue1 0.1-2 mechanism-switch gssapi library
ii libkrb53 1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries
ii libnfsidmap2 0.20-1 An nfs idmapping library
ii librpcsecgss3 0.18-1 allows secure rpc communication
us
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers
libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init
scrip
ii nfs-common 1:1.1.2-6lenny2 NFS support files common to client
ii ucf 3.0016 Update Configuration File: preserv
nfs-kernel-server recommends no packages.
nfs-kernel-server suggests no packages.
Reply to: