How to access NFSv4 shared folder with Kerberos authentication without root rights

Multi tool use
Multi tool use

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



Here the command lines:



user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied

user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
 renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
 renew until 11/09/2018 16:53:42

root@client:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
 3 nfs/client.domain.fr@DOMAIN.FR
 3 nfs/client.domain.fr@DOMAIN.FR


I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
keytab specified, forcing -k
user@client:~$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 17:22:59

user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
[sudo] Mot de passe de user : 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/client.domain.fr@DOMAIN.FR

Valid starting Expires Service principal
10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
 renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
 renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
 renew until 11/09/2018 17:23:35


My configurations files:



/etc/fstab on client machine



# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


/etc/fstab on server:



# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
/home/media /export/media none bind 0 0


/etc/exports on server:



# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



/etc/krb5.conf on both client and server:



[logging]
 default = FILE:/tmp/krb5libs.log
 kdc = FILE:/tmp/krb5kdc.log
 admin_server = FILE:/tmp/kadmind.log

[libdefaults]
 default_realm = DOMAIN.FR

# The following krb5.conf variables are only for MIT Kerberos.
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
 fcc-mit-ticketflags = true

[realms]
 DOMAIN.FR = 
 kdc = kdc.domain.fr
 admin_server = kerberos.domain.fr
 default_domain = domain.fr
 

[domain_realm]
 .domain.fr = DOMAIN.FR
 domain.fr = DOMAIN.FR


/etc/default/nfs-kernel-server on server:



# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"


/etc/default/nfs-common on both client and server:



# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/hosts on both client and server:



127.0.0.1 localhost

# server
192.168.1.1 server.domain.fr server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr client


logs of kdc:



sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






ubuntu kerberos nfsv4







share|improve this question



























    up vote
    1
    down vote

    favorite












    I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
    It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



    Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



    Here the command lines:



    user@client:~$ mount -vvv /mnt
    mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
    mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

    user@client:~$ cd /mnt
    bash: cd: /mnt: Permission denied

    user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
    -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

    user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
    Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 16:53:42
    10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
     renew until 11/09/2018 16:53:42
    10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
     renew until 11/09/2018 16:53:42

    root@client:~# klist -k /etc/krb5.keytab 
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
     3 nfs/client.domain.fr@DOMAIN.FR
     3 nfs/client.domain.fr@DOMAIN.FR


    I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



    user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
    keytab specified, forcing -k
    user@client:~$ klist 
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 17:22:59

    user@client:~$ mount /mnt
    user@client:~$ cd /mnt
    user@client:/mnt$ ll
    total 12
    drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
    drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
    drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

    user@client:/mnt$ ll /tmp/krb5cc*
    -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
    -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

    user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
    [sudo] Mot de passe de user : 
    Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
    Default principal: nfs/client.domain.fr@DOMAIN.FR

    Valid starting Expires Service principal
    10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
     renew until 11/09/2018 17:23:35
    10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
     renew until 11/09/2018 17:23:35
    10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
     renew until 11/09/2018 17:23:35


    My configurations files:



    /etc/fstab on client machine



    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    # / was on /dev/sda1 during installation
    UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
    /swapfile none swap sw 0 0
    server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


    /etc/fstab on server:



    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    # / was on /dev/sda1 during installation
    UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
    /swapfile none swap sw 0 0
    /home/media /export/media none bind 0 0


    /etc/exports on server:



    # /etc/exports: the access control list for filesystems which may be exported
    # to NFS clients. See exports(5).
    #
    # Example for NFSv2 and NFSv3:
    # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
    #
    # Example for NFSv4:
    # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
    # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
    #
    /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
    /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


    User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



    /etc/krb5.conf on both client and server:



    [logging]
     default = FILE:/tmp/krb5libs.log
     kdc = FILE:/tmp/krb5kdc.log
     admin_server = FILE:/tmp/kadmind.log

    [libdefaults]
     default_realm = DOMAIN.FR

    # The following krb5.conf variables are only for MIT Kerberos.
     kdc_timesync = 1
     ccache_type = 4
     forwardable = true
     proxiable = true

    # The following encryption type specification will be used by MIT Kerberos
    # if uncommented. In general, the defaults in the MIT Kerberos code are
    # correct and overriding these specifications only serves to disable new
    # encryption types as they are added, creating interoperability problems.
    #
    # The only time when you might need to uncomment these lines and change
    # the enctypes is if you have local software that will break on ticket
    # caches containing ticket encryption types it doesn't know about (such as
    # old versions of Sun Java).

    # default_tgs_enctypes = des3-hmac-sha1
    # default_tkt_enctypes = des3-hmac-sha1
    # permitted_enctypes = des3-hmac-sha1

    # The following libdefaults parameters are only for Heimdal Kerberos.
     fcc-mit-ticketflags = true

    [realms]
     DOMAIN.FR = 
     kdc = kdc.domain.fr
     admin_server = kerberos.domain.fr
     default_domain = domain.fr
     

    [domain_realm]
     .domain.fr = DOMAIN.FR
     domain.fr = DOMAIN.FR


    /etc/default/nfs-kernel-server on server:



    # Number of servers to start up
    RPCNFSDCOUNT=8

    # Runtime priority of server (see nice(1))
    RPCNFSDPRIORITY=0

    # Options for rpc.mountd.
    # If you have a port-based firewall, you might want to set up
    # a fixed port here using the --port option. For more information, 
    # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
    # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
    RPCMOUNTDOPTS="--manage-gids --debug all"

    # Do you want to start the svcgssd daemon? It is only required for Kerberos
    # exports. Valid alternatives are "yes" and "no"; the default is "no".
    NEED_SVCGSSD="yes"

    # Options for rpc.svcgssd.
    RPCSVCGSSDOPTS="-vvv"


    /etc/default/nfs-common on both client and server:



    # If you do not set values for the NEED_ options, they will be attempted
    # autodetected; this should be sufficient for most people. Valid alternatives
    # for the NEED_ options are "yes" and "no".


    # Options for rpc.statd.
    # Should rpc.statd listen on a specific port? This is especially useful
    # when you have a port-based firewall. To use a fixed port, set this
    # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
    # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
    STATDOPTS=

    # Do you want to start the gssd daemon? It is required for Kerberos mounts.
    NEED_GSSD=yes


    /etc/hosts on both client and server:



    127.0.0.1 localhost

    # server
    192.168.1.1 server.domain.fr server
    192.168.1.1 domain.fr
    # Client
    192.168.1.2 client.domain.fr client


    logs of kdc:



    sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
    krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
    krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
    krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
    sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
    sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
    sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
    sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
    sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


    So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
    I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






    ubuntu kerberos nfsv4







    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
      It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



      Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



      Here the command lines:



      user@client:~$ mount -vvv /mnt
      mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
      mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

      user@client:~$ cd /mnt
      bash: cd: /mnt: Permission denied

      user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
      -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 16:53:42

      root@client:~# klist -k /etc/krb5.keytab 
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
       3 nfs/client.domain.fr@DOMAIN.FR
       3 nfs/client.domain.fr@DOMAIN.FR


      I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



      user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
      keytab specified, forcing -k
      user@client:~$ klist 
      Ticket cache: FILE:/tmp/krb5cc_1000
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:22:59

      user@client:~$ mount /mnt
      user@client:~$ cd /mnt
      user@client:/mnt$ ll
      total 12
      drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
      drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
      drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

      user@client:/mnt$ ll /tmp/krb5cc*
      -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
      -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
      [sudo] Mot de passe de user : 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 17:23:35


      My configurations files:



      /etc/fstab on client machine



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


      /etc/fstab on server:



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      /home/media /export/media none bind 0 0


      /etc/exports on server:



      # /etc/exports: the access control list for filesystems which may be exported
      # to NFS clients. See exports(5).
      #
      # Example for NFSv2 and NFSv3:
      # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
      #
      # Example for NFSv4:
      # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
      # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
      #
      /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
      /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


      User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



      /etc/krb5.conf on both client and server:



      [logging]
       default = FILE:/tmp/krb5libs.log
       kdc = FILE:/tmp/krb5kdc.log
       admin_server = FILE:/tmp/kadmind.log

      [libdefaults]
       default_realm = DOMAIN.FR

      # The following krb5.conf variables are only for MIT Kerberos.
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true

      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # The only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).

      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1

      # The following libdefaults parameters are only for Heimdal Kerberos.
       fcc-mit-ticketflags = true

      [realms]
       DOMAIN.FR = 
       kdc = kdc.domain.fr
       admin_server = kerberos.domain.fr
       default_domain = domain.fr
       

      [domain_realm]
       .domain.fr = DOMAIN.FR
       domain.fr = DOMAIN.FR


      /etc/default/nfs-kernel-server on server:



      # Number of servers to start up
      RPCNFSDCOUNT=8

      # Runtime priority of server (see nice(1))
      RPCNFSDPRIORITY=0

      # Options for rpc.mountd.
      # If you have a port-based firewall, you might want to set up
      # a fixed port here using the --port option. For more information, 
      # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
      # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
      RPCMOUNTDOPTS="--manage-gids --debug all"

      # Do you want to start the svcgssd daemon? It is only required for Kerberos
      # exports. Valid alternatives are "yes" and "no"; the default is "no".
      NEED_SVCGSSD="yes"

      # Options for rpc.svcgssd.
      RPCSVCGSSDOPTS="-vvv"


      /etc/default/nfs-common on both client and server:



      # If you do not set values for the NEED_ options, they will be attempted
      # autodetected; this should be sufficient for most people. Valid alternatives
      # for the NEED_ options are "yes" and "no".


      # Options for rpc.statd.
      # Should rpc.statd listen on a specific port? This is especially useful
      # when you have a port-based firewall. To use a fixed port, set this
      # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
      # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
      STATDOPTS=

      # Do you want to start the gssd daemon? It is required for Kerberos mounts.
      NEED_GSSD=yes


      /etc/hosts on both client and server:



      127.0.0.1 localhost

      # server
      192.168.1.1 server.domain.fr server
      192.168.1.1 domain.fr
      # Client
      192.168.1.2 client.domain.fr client


      logs of kdc:



      sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
      krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
      sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
      sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
      sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


      So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
      I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






      ubuntu kerberos nfsv4







      share|improve this question















      I'm setting up a NFSv4 shared folder with Kerberos authentication. The issue I'm facing is that when the user on the client machine runs mount /mnt (see the fstab configuration below) he's not able to access /mnt directory.
      It's due to the rights on the Kerberos ticket I guess. Indeed, when I'm doing so, I only get a ticket which belongs to root.



      Client = 192.168.1.2 and server = 192.168.1.1 both are running Ubuntu 18.04.1



      Here the command lines:



      user@client:~$ mount -vvv /mnt
      mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
      mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

      user@client:~$ cd /mnt
      bash: cd: /mnt: Permission denied

      user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
      -rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
       renew until 11/09/2018 16:53:42
      10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 16:53:42

      root@client:~# klist -k /etc/krb5.keytab 
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
       3 nfs/client.domain.fr@DOMAIN.FR
       3 nfs/client.domain.fr@DOMAIN.FR


      I found that when I do a "kinit" of nfs/client.domain.fr with user rights and then runs the mount command, I can access to /mnt directory



      user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
      keytab specified, forcing -k
      user@client:~$ klist 
      Ticket cache: FILE:/tmp/krb5cc_1000
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:22:59

      user@client:~$ mount /mnt
      user@client:~$ cd /mnt
      user@client:/mnt$ ll
      total 12
      drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
      drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
      drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/

      user@client:/mnt$ ll /tmp/krb5cc*
      -rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
      -rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

      user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
      [sudo] Mot de passe de user : 
      Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
      Default principal: nfs/client.domain.fr@DOMAIN.FR

      Valid starting Expires Service principal
      10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/DOMAIN.FR@DOMAIN.FR
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
       renew until 11/09/2018 17:23:35
      10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@DOMAIN.FR
       renew until 11/09/2018 17:23:35


      My configurations files:



      /etc/fstab on client machine



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0


      /etc/fstab on server:



      # /etc/fstab: static file system information.
      #
      # Use 'blkid' to print the universally unique identifier for a
      # device; this may be used with UUID= as a more robust way to name devices
      # that works even if disks are added and removed. See fstab(5).
      #
      # <file system> <mount point> <type> <options> <dump> <pass>
      # / was on /dev/sda1 during installation
      UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
      /swapfile none swap sw 0 0
      /home/media /export/media none bind 0 0


      /etc/exports on server:



      # /etc/exports: the access control list for filesystems which may be exported
      # to NFS clients. See exports(5).
      #
      # Example for NFSv2 and NFSv3:
      # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
      #
      # Example for NFSv4:
      # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
      # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
      #
      /export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
      /export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)


      User with uid=1000 and gid=1000 exists on client and server. I also tryed with root_squash option.



      /etc/krb5.conf on both client and server:



      [logging]
       default = FILE:/tmp/krb5libs.log
       kdc = FILE:/tmp/krb5kdc.log
       admin_server = FILE:/tmp/kadmind.log

      [libdefaults]
       default_realm = DOMAIN.FR

      # The following krb5.conf variables are only for MIT Kerberos.
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true

      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # The only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).

      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1

      # The following libdefaults parameters are only for Heimdal Kerberos.
       fcc-mit-ticketflags = true

      [realms]
       DOMAIN.FR = 
       kdc = kdc.domain.fr
       admin_server = kerberos.domain.fr
       default_domain = domain.fr
       

      [domain_realm]
       .domain.fr = DOMAIN.FR
       domain.fr = DOMAIN.FR


      /etc/default/nfs-kernel-server on server:



      # Number of servers to start up
      RPCNFSDCOUNT=8

      # Runtime priority of server (see nice(1))
      RPCNFSDPRIORITY=0

      # Options for rpc.mountd.
      # If you have a port-based firewall, you might want to set up
      # a fixed port here using the --port option. For more information, 
      # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
      # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
      RPCMOUNTDOPTS="--manage-gids --debug all"

      # Do you want to start the svcgssd daemon? It is only required for Kerberos
      # exports. Valid alternatives are "yes" and "no"; the default is "no".
      NEED_SVCGSSD="yes"

      # Options for rpc.svcgssd.
      RPCSVCGSSDOPTS="-vvv"


      /etc/default/nfs-common on both client and server:



      # If you do not set values for the NEED_ options, they will be attempted
      # autodetected; this should be sufficient for most people. Valid alternatives
      # for the NEED_ options are "yes" and "no".


      # Options for rpc.statd.
      # Should rpc.statd listen on a specific port? This is especially useful
      # when you have a port-based firewall. To use a fixed port, set this
      # this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
      # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
      STATDOPTS=

      # Do you want to start the gssd daemon? It is required for Kerberos mounts.
      NEED_GSSD=yes


      /etc/hosts on both client and server:



      127.0.0.1 localhost

      # server
      192.168.1.1 server.domain.fr server
      192.168.1.1 domain.fr
      # Client
      192.168.1.2 client.domain.fr client


      logs of kdc:



      sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
      krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
      krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
      sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
      sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: NEEDED_PREAUTH: nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR, Additional pre-authentication required
      sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for krbtgt/DOMAIN.FR@DOMAIN.FR
      sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes 18 17 20 19 16 23 25 26) 192.168.1.2: ISSUE: authtime 1536591222, etypes rep=18 tkt=18 ses=18, nfs/client.domain.fr@DOMAIN.FR for nfs/server.domain.fr@DOMAIN.FR


      So now I'm only able to mount the shared folder and access it with root user on client machine because the ticket I get belongs to root. Is it possible to get a ticket which belongs to user ?
      I would like to know if it possible to mount the shared directory with user and access it without doing the kinit before.






      ubuntu kerberos nfsv4




      ubuntu kerberos nfsv4






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 11 at 7:37









      Rui F Ribeiro

      36.8k1273117




      36.8k1273117










      asked Sep 11 at 7:15









      Charles

      114




      114

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468186%2fhow-to-access-nfsv4-shared-folder-with-kerberos-authentication-without-root-righ%23new-answer', 'question_page');

          );

          Post as a guest






















          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468186%2fhow-to-access-nfsv4-shared-folder-with-kerberos-authentication-without-root-righ%23new-answer', 'question_page');

          );

          Post as a guest
































































          3YBcZ zeUEB3fmbdk1DSADB BmOkXWHP0lja jbzTt Bi2hOJ7,o4tw,wZA
          -
          j 3CKP9re7t4a7C4A Ac6 RTI6UNJ IQUWt7yaCtLYjDyzKMXH FLNwg,Kgtxg

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this questi...
          Read more

          How many registers does an x86_64 CPU actually have?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this...
          Read more

          Displaying single band from multi-band raster using QGIS

          Image
          Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fi...
          Read more