Hello, I'm trying to setup a new NFSv4 server with Kerberos as authentication. The shares are exported as expected and I'm able to mount them using krb5i authentication on the NFS clients.
My problem is ownership and permission management on the exported shares. I need the shares and their content to be owned by root:root and read-write access by root to the shares on the clients is required. I understand that NFSv4 usually squashs root accesses and maps them to another UID/GID. This is turned off with 'no_root_squash'. Seems like that's not true in my case, or I'm missing something: When I set ownership of the exported shares to root:root on the server, root on the client is not allowed to write to them: client:~# mkdir /home/test mkdir: cannot create directory ‘/home/test’: Permission denied If I chown the exported share to nobody:nogroup on the server, then I'm able to write as user root. But new created files/dirs will be owned by nobody:nogroup and it's impossible to chown the objects afterwards. My shares are configured the following way in /etc/exports on the NFS server: /export 192.168.0.1/24(sec=krb5i,rw,sync,no_subtree_check,no_root_squash,fsid=0) /export/home 192.168.0.1/24(sec=krb5i,rw,sync,no_subtree_check,no_root_squash) And the client configuration (/etc/fstab) looks as follows: server:/home /home nfs4 sec=krb5i,bg 0 0 Is it possible to configure NFSv4+Kerberos the way that shares for root:root are writeable by clients and that I'm able to use/modify UID/GID based permissions/ownership on NFS shares from the client? Btw, I didn't find relevant log entries either on client or on server, even though I enabled debug options for rpcmountd, idmapd and svcgssd. I used the following documentation as reference for my setup: https://wiki.debian.org/NFS/Kerberos https://help.ubuntu.com/community/NFSv4Howto#NFSv4_with_Kerberos https://help.ubuntu.com/community/Kerberos http://wiki.ubuntuusers.de/Kerberos/NFS_mit_Kerberos_sichern Cheers, jonas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
