[Freeipa-users] insecure IPA'd NFS
Chris Evich
cevich at redhat.com
Thu May 10 13:37:28 UTC 2012
On 05/09/2012 06:18 PM, Steven Jones wrote:
> Hi,
>
> Thanks so I will remove the sec=sys bit and re-test..and then I
> assume it will be kerberos only.....
This is not true, it's documented in the exports man page how you can
assign different permissions depending on the security type. For example:
/nfsroot/stuff
*(crossmnt,no_subtree_check,async,sec=krb5p,rw,root_squash,sec=sys,ro,all_squash)
This makes it so users with valid kerberos creds have rw access (though
root is squashed). W/o a kerberos ticket, a user can still read stuff,
but all ownership information is squashed.
More information about the Freeipa-users
mailing list