[Freeipa-users] issues with nfs4 privileges.
Simo Sorce
simo at redhat.com
Fri Jun 20 16:27:32 UTC 2014
On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
> Hello,
>
> I'm a bit at loss with my freeipa kerberized nfs4 shares.
>
> the nfs4 shares mount fine and users can read and write their files.
> However pulse audio does not work properly, and some programs fail to start.
> When logging in with a local account using a local homedrive
> pulseaudio works, and the programs also work.
> Also oddjob is not capable of creating a home dir for a new user.
>
> root is not allowed to write in the home mount on the client (mkdir
> test and touch test get a Permission denied)
>
> I don't think its selinux, because setenforce 0 on the nfs-server and
> setenforce 0 on the nfs client did not help.
Indeed it is not selinux nor anything client related, when you use
kerberized NFSv4 *all* accesses including root must be authenticated.
When your "local" root user tries to access the mount point, either it
cannot authenticate or it uses the system keytab to authenticate, in
both cases, w/o further configuration on the server these accesses are
mapped to the nobody user or refused outright.
If you really want to trust *every* client to have full *root* access on
your server then you need to make sure the client is using the host
keytab when acting as root (default unless you pass -n to rpc.gssd) then
you need to map explicitly the client's hosts keys to the root account
on the server.
add:
host/client.host.name at YOUR.REALM = root
in the [static] section of idmapd.conf
See idmapd.conf(5) for details.
> freeipa policies seem to be working fine, sudo rules are applied the
> way I expect them.
> Logging in on all the machines works, automounting works like a charm,
> except for the situations described above.
>
> server details are below
>
> Anybody who can tell me what I've missed ?
What you've missed is simply that clients are not allowed to act as root
on NFS mounts by default, it's a security issue, because a compromised
client can then do what it want's with all NFS shared data regardless of
user permissions.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list