NFSv4+Kerberos shares and ownership (root:root)
Hello,
I'm trying to setup a new NFSv4 server with Kerberos as authentication.
The shares are exported as expected and I'm able to mount them using
krb5i authentication on the NFS clients.
My problem is ownership and permission management on the exported
shares. I need the shares and their content to be owned by root:root and
read-write access by root to the shares on the clients is required.
I understand that NFSv4 usually squashs root accesses and maps them to
another UID/GID. This is turned off with 'no_root_squash'. Seems like
that's not true in my case, or I'm missing something:
When I set ownership of the exported shares to root:root on the server,
root on the client is not allowed to write to them:
client:~# mkdir /home/test
mkdir: cannot create directory ‘/home/test’: Permission denied
If I chown the exported share to nobody:nogroup on the server, then I'm
able to write as user root. But new created files/dirs will be owned by
nobody:nogroup and it's impossible to chown the objects afterwards.
My shares are configured the following way in /etc/exports on the NFS
server:
/export
192.168.0.1/24(sec=krb5i,rw,sync,no_subtree_check,no_root_squash,fsid=0)
/export/home
192.168.0.1/24(sec=krb5i,rw,sync,no_subtree_check,no_root_squash)
And the client configuration (/etc/fstab) looks as follows:
server:/home /home nfs4 sec=krb5i,bg 0 0
Is it possible to configure NFSv4+Kerberos the way that shares for
root:root are writeable by clients and that I'm able to use/modify
UID/GID based permissions/ownership on NFS shares from the client?
Btw, I didn't find relevant log entries either on client or on server,
even though I enabled debug options for rpcmountd, idmapd and svcgssd.
I used the following documentation as reference for my setup:
https://wiki.debian.org/NFS/Kerberos
https://help.ubuntu.com/community/NFSv4Howto#NFSv4_with_Kerberos
https://help.ubuntu.com/community/Kerberos
http://wiki.ubuntuusers.de/Kerberos/NFS_mit_Kerberos_sichern
Cheers,
jonas
Reply to: