[Samba] nfs root kerberos
Jason Keltz
jas at eecs.yorku.ca
Mon Nov 9 19:41:07 UTC 2020
Hi.
I have Samba AD configured correctly, and can mount kerberized NFS from
all the CentOS 7 clients. I'm not able to use "root" on the client even
though the nfs export specifies the option: no_root_squash option.
I completely understand that in order to use the "root" identity (which
doesn't exist as a user in the domain) on the NFS client, this identity
has to be mapped to somewhere else. That's why my samba config
specifies a file for "username map" which contains:
!root = SAMDOM\Administrator
I figured that I should just need to do a "kinit Administrator" on the
client, and take on the root identity, then I could write as root where
I have no_root_squash configured... However, when I tried this on a
client, I get a permission denied when trying to write.
I saw a reference to adding to /etc/idmapd.conf a static mapping:
Method = static,nsswitch
[Static]
MYHOST$@MYREALM = root
... but it's really not clear why this would be necessary if the
username map entry is working. I added this on the server and it's not
working either after restarting rpcidmapd.
I also saw a red hat document that talked about adding to /etc/krb5.conf:
[realms]
…
EXAMPLE.COM = {
…
auth_to_local =
RULE:[2:$1/$2@$0](host/nfsclient.example.com at EXAMPLE.COM)s/.*/root/
auth_to_local = DEFAULT
}
... but that doesn't seem to change the permission denied.
Any feedback would be greatly appreciated.
Thanks!
Jason.
More information about the samba
mailing list