write permissions on Kerberos secured NFS share
Hi,
I'm struggling with getting the permissions on an NFS share right.
Mounting the NFS share on my client works. Read/write access as user
'root' works, and read access as user 'mail' works as well after I
successfully authenticated at the Kerberos server as that user 'mail'.
Kerberos server and NFS server are the same machines.
Only write-access to the NFS share as user 'mail' doesn't work. The
share directory is owned by 'mail:mail' both on the server and on the
client. UID and GID are the same (8) for 'mail' on server an client.
What am I missing here?
svr# cat /etc/exports
/export XXX.XX.XX.XXX(sec=krb5i,rw,sync, \
no_subtree_check,no_root_squash,fsid=0)
/export/vmail XXX.XX.XX.XXX(sec=krb5i,rw,sync, \
no_subtree_check,no_root_squash)
svr# showmounts --exports
/export/vmail XXX.XX.XX.XXX
/export XXX.XX.XX.XXX
svr# ls -ald /export/vmail
drwxr-xr-x 3 mail mail 4096 Jun 28 12:58 /export/vmail
clt# grep vmail /etc/fstab
nfs-server:/vmail /var/vmail nfs4 sec=krb5i 0 0
clt# mount | grep vmail
nfs-server:/vmail on /var/vmail type nfs4 (rw,relatime,vers=4.0, \
rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0, \
timeo=600,retrans=2,sec=krb5i,clientaddr=XXX.XX.XX.XXX, \
local_lock=none,addr=XXX.XX.XX.XXX)
clt# ls -ald /var/vmail
drwxrwsr-x 2 mail mail 4096 Oct 17 2014 /var/mail
root@clt# echo test >/var/vmail/test.txt
root@clt# cat /var/vmail/test.txt
test
root@clt# su -s /bin/sh -c "cat /var/vmail/test.txt" mail
test
root@clt# su -s /bin/sh -c "touch /var/vmail/test" mail
touch: cannot touch ‘/var/vmail/test’: Permission denied
The Kerberos ticket for local user 'mail' is managed by k5start:
clt# ps -ef |grep k5start | grep mail
root 8965 1 0 16:04 ? 00:00:00 /usr/bin/k5start -u \
mail/nfs-client -o mail -p /var/run/k5start-mail.pid -b \
-f /etc/krb5.keytab -L -K 30
I don't understand why I don't have write access to the share as client
user 'mail' (authenticated to Kerberos server as 'mail/nfs-client'.
Reply to: