How to access NFSv4 shared folder with Kerberos authentication without root rights

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



Here the command lines:



user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied

user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
 renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
 renew until 11/09/2018 16:53:42

root@client:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
 3 nfs/client.domain.fr@DOMAIN.FR
 3 nfs/client.domain.fr@DOMAIN.FR


I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
keytab specified, forcing -k
user@client:~$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 17:22:59

user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
[sudo] Mot de passe de user : 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
 renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
 renew until 11/09/2018 17:23:35


My configurations files:



/etc/fstab on client machine



# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


/etc/fstab on server:



# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
/home/media /export/media none bind 0 0


/etc/exports on server:



# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



/etc/krb5.conf on both client and server:



[logging]
 default = FILE:/tmp/krb5libs.log
 kdc = FILE:/tmp/krb5kdc.log
 admin_server = FILE:/tmp/kadmind.log

[libdefaults]
 default_realm = DOMAIN.FR

# The following krb5.conf variables are only for MIT Kerberos.
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
 fcc-mit-ticketflags = true

[realms]
 DOMAIN.FR = 
 kdc = kdc.domain.fr
 admin_server = kerberos.domain.fr
 default_domain = domain.fr
 

[domain_realm]
 .domain.fr = DOMAIN.FR
 domain.fr = DOMAIN.FR


/etc/default/nfs-kernel-server on server:



# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"


/etc/default/nfs-common on both client and server:



# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/hosts on both client and server:



127.0.0.1 localhost

# server
192.168.1.1 server.domain.fr server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr client


logs of kdc:



sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






ubuntu kerberos nfsv4







share|improve this question



























    up vote
    1
    down vote

    favorite












    I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
    It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



    Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



    Here the command lines:



    user@client:~$ mount -vvv /mnt
    mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
    mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

    user@client:~$ cd /mnt
    bash: cd: /mnt: Permission denied

    user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
    -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

    user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
    Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 16:53:42
    10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
     renew until 11/09/2018 16:53:42
    10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
     renew until 11/09/2018 16:53:42

    root@client:~# klist -k /etc/krb5.keytab 
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
     3 nfs/client.domain.fr@DOMAIN.FR
     3 nfs/client.domain.fr@DOMAIN.FR


    I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



    user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
    keytab specified, forcing -k
    user@client:~$ klist 
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 17:22:59

    user@client:~$ mount /mnt
    user@client:~$ cd /mnt
    user@client:/mnt$ ll
    total 12
    drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
    drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
    drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

    user@client:/mnt$ ll /tmp/krb5cc*
    -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
    -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

    user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
    [sudo] Mot de passe de user : 
    Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 17:23:35
    10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
     renew until 11/09/2018 17:23:35
    10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
     renew until 11/09/2018 17:23:35


    My configurations files:



    /etc/fstab on client machine



    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    # / was on /dev/sda1 during installation
    UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
    /swapfile none swap sw 0 0
    server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


    /etc/fstab on server:



    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    # / was on /dev/sda1 during installation
    UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
    /swapfile none swap sw 0 0
    /home/media /export/media none bind 0 0


    /etc/exports on server:



    # /etc/exports: the access control list for filesystems which may be exported
    # to NFS clients. See exports(5).
    #
    # Example for NFSv2 and NFSv3:
    # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
    #
    # Example for NFSv4:
    # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
    # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
    #
    /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
    /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


    User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



    /etc/krb5.conf on both client and server:



    [logging]
     default = FILE:/tmp/krb5libs.log
     kdc = FILE:/tmp/krb5kdc.log
     admin_server = FILE:/tmp/kadmind.log

    [libdefaults]
     default_realm = DOMAIN.FR

    # The following krb5.conf variables are only for MIT Kerberos.
     kdc_timesync = 1
     ccache_type = 4
     forwardable = true
     proxiable = true

    # The following encryption type specification will be used by MIT Kerberos
    # if uncommented. In general, the defaults in the MIT Kerberos code are
    # correct and overriding these specifications only serves to disable new
    # encryption types as they are added, creating interoperability problems.
    #
    # The only time when you might need to uncomment these lines and change
    # the enctypes is if you have local software that will break on ticket
    # caches containing ticket encryption types it doesn't know about (such as
    # old versions of Sun Java).

    # default_tgs_enctypes = des3-hmac-sha1
    # default_tkt_enctypes = des3-hmac-sha1
    # permitted_enctypes = des3-hmac-sha1

    # The following libdefaults parameters are only for Heimdal Kerberos.
     fcc-mit-ticketflags = true

    [realms]
     DOMAIN.FR = 
     kdc = kdc.domain.fr
     admin_server = kerberos.domain.fr
     default_domain = domain.fr
     

    [domain_realm]
     .domain.fr = DOMAIN.FR
     domain.fr = DOMAIN.FR


    /etc/default/nfs-kernel-server on server:



    # Number of servers to start up
    RPCNFSDCOUNT=8

    # Runtime priority of server (see nice(1))
    RPCNFSDPRIORITY=0

    # Options for rpc.mountd.
    # If you have a port-based firewall, you might want to set up
    # a fixed port here using the --port option. For more information, 
    # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
    # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
    RPCMOUNTDOPTS="--manage-gids --debug all"

    # Do you want to start the svcgssd daemon? It is only required for Kerberos
    # exports. Valid alternatives are "yes" and "no"; the default is "no".
    NEED_SVCGSSD="yes"

    # Options for rpc.svcgssd.
    RPCSVCGSSDOPTS="-vvv"


    /etc/default/nfs-common on both client and server:



    # If you do not set values for the NEED_ options, they will be attempted
    # autodetected; this should be sufficient for most people. Valid alternatives
    # for the NEED_ options are "yes" and "no".


    # Options for rpc.statd.
    # Should rpc.statd listen on a specific port? This is especially useful
    # when you have a port-based firewall. To use a fixed port, set this
    # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
    # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
    STATDOPTS=

    # Do you want to start the gssd daemon? It is required for Kerberos mounts.
    NEED_GSSD=yes


    /etc/hosts on both client and server:



    127.0.0.1 localhost

    # server
    192.168.1.1 server.domain.fr server
    192.168.1.1 domain.fr
    # Client
    192.168.1.2 client.domain.fr client


    logs of kdc:



    sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
    krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
    krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
    krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
    sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
    sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
    sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
    sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
    sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


    So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
    I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






    ubuntu kerberos nfsv4







    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
      It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



      Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



      Here the command lines:



      user@client:~$ mount -vvv /mnt
      mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
      mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

      user@client:~$ cd /mnt
      bash: cd: /mnt: Permission denied

      user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
      -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 16:53:42

      root@client:~# klist -k /etc/krb5.keytab 
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
       3 nfs/client.domain.fr@DOMAIN.FR
       3 nfs/client.domain.fr@DOMAIN.FR


      I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



      user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
      keytab specified, forcing -k
      user@client:~$ klist 
      Ticket cache: FILE:/tmp/krb5cc_1000
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:22:59

      user@client:~$ mount /mnt
      user@client:~$ cd /mnt
      user@client:/mnt$ ll
      total 12
      drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
      drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
      drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

      user@client:/mnt$ ll /tmp/krb5cc*
      -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
      -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
      [sudo] Mot de passe de user : 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 17:23:35


      My configurations files:



      /etc/fstab on client machine



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


      /etc/fstab on server:



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      /home/media /export/media none bind 0 0


      /etc/exports on server:



      # /etc/exports: the access control list for filesystems which may be exported
      # to NFS clients. See exports(5).
      #
      # Example for NFSv2 and NFSv3:
      # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
      #
      # Example for NFSv4:
      # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
      # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
      #
      /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
      /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


      User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



      /etc/krb5.conf on both client and server:



      [logging]
       default = FILE:/tmp/krb5libs.log
       kdc = FILE:/tmp/krb5kdc.log
       admin_server = FILE:/tmp/kadmind.log

      [libdefaults]
       default_realm = DOMAIN.FR

      # The following krb5.conf variables are only for MIT Kerberos.
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true

      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # The only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).

      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1

      # The following libdefaults parameters are only for Heimdal Kerberos.
       fcc-mit-ticketflags = true

      [realms]
       DOMAIN.FR = 
       kdc = kdc.domain.fr
       admin_server = kerberos.domain.fr
       default_domain = domain.fr
       

      [domain_realm]
       .domain.fr = DOMAIN.FR
       domain.fr = DOMAIN.FR


      /etc/default/nfs-kernel-server on server:



      # Number of servers to start up
      RPCNFSDCOUNT=8

      # Runtime priority of server (see nice(1))
      RPCNFSDPRIORITY=0

      # Options for rpc.mountd.
      # If you have a port-based firewall, you might want to set up
      # a fixed port here using the --port option. For more information, 
      # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
      # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
      RPCMOUNTDOPTS="--manage-gids --debug all"

      # Do you want to start the svcgssd daemon? It is only required for Kerberos
      # exports. Valid alternatives are "yes" and "no"; the default is "no".
      NEED_SVCGSSD="yes"

      # Options for rpc.svcgssd.
      RPCSVCGSSDOPTS="-vvv"


      /etc/default/nfs-common on both client and server:



      # If you do not set values for the NEED_ options, they will be attempted
      # autodetected; this should be sufficient for most people. Valid alternatives
      # for the NEED_ options are "yes" and "no".


      # Options for rpc.statd.
      # Should rpc.statd listen on a specific port? This is especially useful
      # when you have a port-based firewall. To use a fixed port, set this
      # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
      # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
      STATDOPTS=

      # Do you want to start the gssd daemon? It is required for Kerberos mounts.
      NEED_GSSD=yes


      /etc/hosts on both client and server:



      127.0.0.1 localhost

      # server
      192.168.1.1 server.domain.fr server
      192.168.1.1 domain.fr
      # Client
      192.168.1.2 client.domain.fr client


      logs of kdc:



      sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
      krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
      sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
      sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
      sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


      So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
      I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






      ubuntu kerberos nfsv4







      share|improve this question















      I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
      It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



      Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



      Here the command lines:



      user@client:~$ mount -vvv /mnt
      mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
      mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

      user@client:~$ cd /mnt
      bash: cd: /mnt: Permission denied

      user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
      -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 16:53:42

      root@client:~# klist -k /etc/krb5.keytab 
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
       3 nfs/client.domain.fr@DOMAIN.FR
       3 nfs/client.domain.fr@DOMAIN.FR


      I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



      user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
      keytab specified, forcing -k
      user@client:~$ klist 
      Ticket cache: FILE:/tmp/krb5cc_1000
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:22:59

      user@client:~$ mount /mnt
      user@client:~$ cd /mnt
      user@client:/mnt$ ll
      total 12
      drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
      drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
      drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

      user@client:/mnt$ ll /tmp/krb5cc*
      -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
      -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
      [sudo] Mot de passe de user : 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 17:23:35


      My configurations files:



      /etc/fstab on client machine



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


      /etc/fstab on server:



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      /home/media /export/media none bind 0 0


      /etc/exports on server:



      # /etc/exports: the access control list for filesystems which may be exported
      # to NFS clients. See exports(5).
      #
      # Example for NFSv2 and NFSv3:
      # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
      #
      # Example for NFSv4:
      # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
      # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
      #
      /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
      /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


      User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



      /etc/krb5.conf on both client and server:



      [logging]
       default = FILE:/tmp/krb5libs.log
       kdc = FILE:/tmp/krb5kdc.log
       admin_server = FILE:/tmp/kadmind.log

      [libdefaults]
       default_realm = DOMAIN.FR

      # The following krb5.conf variables are only for MIT Kerberos.
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true

      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # The only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).

      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1

      # The following libdefaults parameters are only for Heimdal Kerberos.
       fcc-mit-ticketflags = true

      [realms]
       DOMAIN.FR = 
       kdc = kdc.domain.fr
       admin_server = kerberos.domain.fr
       default_domain = domain.fr
       

      [domain_realm]
       .domain.fr = DOMAIN.FR
       domain.fr = DOMAIN.FR


      /etc/default/nfs-kernel-server on server:



      # Number of servers to start up
      RPCNFSDCOUNT=8

      # Runtime priority of server (see nice(1))
      RPCNFSDPRIORITY=0

      # Options for rpc.mountd.
      # If you have a port-based firewall, you might want to set up
      # a fixed port here using the --port option. For more information, 
      # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
      # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
      RPCMOUNTDOPTS="--manage-gids --debug all"

      # Do you want to start the svcgssd daemon? It is only required for Kerberos
      # exports. Valid alternatives are "yes" and "no"; the default is "no".
      NEED_SVCGSSD="yes"

      # Options for rpc.svcgssd.
      RPCSVCGSSDOPTS="-vvv"


      /etc/default/nfs-common on both client and server:



      # If you do not set values for the NEED_ options, they will be attempted
      # autodetected; this should be sufficient for most people. Valid alternatives
      # for the NEED_ options are "yes" and "no".


      # Options for rpc.statd.
      # Should rpc.statd listen on a specific port? This is especially useful
      # when you have a port-based firewall. To use a fixed port, set this
      # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
      # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
      STATDOPTS=

      # Do you want to start the gssd daemon? It is required for Kerberos mounts.
      NEED_GSSD=yes


      /etc/hosts on both client and server:



      127.0.0.1 localhost

      # server
      192.168.1.1 server.domain.fr server
      192.168.1.1 domain.fr
      # Client
      192.168.1.2 client.domain.fr client


      logs of kdc:



      sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
      krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
      sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
      sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
      sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


      So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
      I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






      ubuntu kerberos nfsv4




      ubuntu kerberos nfsv4






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 11 at 7:37









      Rui F Ribeiro

      36.8k1273117




      36.8k1273117










      asked Sep 11 at 7:15









      Charles

      114




      114

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468186%2fhow-to-access-nfsv4-shared-folder-with-kerberos-authentication-without-root-righ%23new-answer', 'question_page');

          );

          Post as a guest






















          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468186%2fhow-to-access-nfsv4-shared-folder-with-kerberos-authentication-without-root-righ%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
          Read more

          Bahrain

          Image
          For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
          Read more

          Postfix configuration issue with fips on centos 7; mailgun relay

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
          Read more