On 06/28/2015 07:51 PM, Jonas Meurer wrote: > root@clt# su -s /bin/sh -c "cat /var/vmail/test.txt" mail > test > root@clt# su -s /bin/sh -c "touch /var/vmail/test" mail > touch: cannot touch ‘/var/vmail/test’: Permission denied > > The Kerberos ticket for local user 'mail' is managed by k5start: > > clt# ps -ef |grep k5start | grep mail > root 8965 1 0 16:04 ? 00:00:00 /usr/bin/k5start -u \ > mail/nfs-client -o mail -p /var/run/k5start-mail.pid -b \ > -f /etc/krb5.keytab -L -K 30 > > I don't understand why I don't have write access to the share as client > user 'mail' (authenticated to Kerberos server as 'mail/nfs-client'. What ticket cache is k5start using? Does the user k5mail have access to it and does it know about it after su? What do the following commands say? su -s /bin/sh -c "echo $KRB5CCNAME" mail su -s /bin/sh -c "klist" mail It appears to me that you are running k5start as root and it uses the root user's default ticket cache - which as a) not known and b) not accessible to the mail user. You will probably want to specify the -k /path/to/cache and -o mail options to k5start - and you probably want to explicitly set KRB5CCNAME=FILE:/path/to/cache before running anything as the user mail. Christian
Attachment:
signature.asc
Description: OpenPGP digital signature