[Freeipa-users] issues with nfs4 privileges.
Rob Verduijn
rob.verduijn at gmail.com
Fri Jun 20 16:57:13 UTC 2014
Hi Simo,
Thanx for the quick answer, i will consider the root implications.
However, what about pulse audio not working ?
The logs complain about that one not beeing able to write in home as well.
Rob
2014-06-20 18:27 GMT+02:00 Simo Sorce <simo at redhat.com>:
> On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
>> Hello,
>>
>> I'm a bit at loss with my freeipa kerberized nfs4 shares.
>>
>> the nfs4 shares mount fine and users can read and write their files.
>> However pulse audio does not work properly, and some programs fail to start.
>> When logging in with a local account using a local homedrive
>> pulseaudio works, and the programs also work.
>> Also oddjob is not capable of creating a home dir for a new user.
>>
>> root is not allowed to write in the home mount on the client (mkdir
>> test and touch test get a Permission denied)
>>
>> I don't think its selinux, because setenforce 0 on the nfs-server and
>> setenforce 0 on the nfs client did not help.
>
> Indeed it is not selinux nor anything client related, when you use
> kerberized NFSv4 *all* accesses including root must be authenticated.
>
> When your "local" root user tries to access the mount point, either it
> cannot authenticate or it uses the system keytab to authenticate, in
> both cases, w/o further configuration on the server these accesses are
> mapped to the nobody user or refused outright.
>
> If you really want to trust *every* client to have full *root* access on
> your server then you need to make sure the client is using the host
> keytab when acting as root (default unless you pass -n to rpc.gssd) then
> you need to map explicitly the client's hosts keys to the root account
> on the server.
> add:
> host/client.host.name at YOUR.REALM = root
> in the [static] section of idmapd.conf
>
> See idmapd.conf(5) for details.
>
>> freeipa policies seem to be working fine, sudo rules are applied the
>> way I expect them.
>> Logging in on all the machines works, automounting works like a charm,
>> except for the situations described above.
>>
>> server details are below
>>
>> Anybody who can tell me what I've missed ?
>
> What you've missed is simply that clients are not allowed to act as root
> on NFS mounts by default, it's a security issue, because a compromised
> client can then do what it want's with all NFS shared data regardless of
> user permissions.
>
> HTH,
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
More information about the Freeipa-users
mailing list