On 06/28/2015 08:03 PM, Christian Seiler wrote: > On 06/28/2015 07:51 PM, Jonas Meurer wrote: >> root@clt# su -s /bin/sh -c "cat /var/vmail/test.txt" mail >> test >> root@clt# su -s /bin/sh -c "touch /var/vmail/test" mail >> touch: cannot touch ‘/var/vmail/test’: Permission denied >> >> The Kerberos ticket for local user 'mail' is managed by k5start: >> >> clt# ps -ef |grep k5start | grep mail >> root 8965 1 0 16:04 ? 00:00:00 /usr/bin/k5start -u \ >> mail/nfs-client -o mail -p /var/run/k5start-mail.pid -b \ >> -f /etc/krb5.keytab -L -K 30 >> >> I don't understand why I don't have write access to the share as client >> user 'mail' (authenticated to Kerberos server as 'mail/nfs-client'. > > What ticket cache is k5start using? Does the user k5mail have > access to it and does it know about it after su? > > What do the following commands say? > > su -s /bin/sh -c "echo $KRB5CCNAME" mail > su -s /bin/sh -c "klist" mail > > It appears to me that you are running k5start as root and it uses > the root user's default ticket cache - which as a) not known and > b) not accessible to the mail user. > > You will probably want to specify the -k /path/to/cache and -o mail > options to k5start - and you probably want to explicitly set > KRB5CCNAME=FILE:/path/to/cache before running anything as the user > mail.
Also, I just noticed that your principal name was mail/nfs-client. Did you set up idmapping on the server correctly for that to work? Because if you use nsswitch idmapping (i.e. using the same as libc to resolve uids/gids, also the default), that will never work; nsswitch idmapping will always just accept username@REALM as the principal. So you should either tell it to fetch the principal 'mail' or, if you insist on keeping mail/nfs-client, then you should do: - if you are using umich_ldap, you can additionally have the GSSAuthName LDAP attribute and set that to mail/nfs-client for the 'mail' user - or, you can also add a static mapping for just the mail user, mail/nfs-client, by editing the idmapd.conf on the server, where you should then set [Translation] GSS-Methods=static,VALUE_WHAT_IT_WAS_BEFORE [Static] mail/nfs-client@REALM = mail (If no GSS-Methods were specified, copy the contents of the Methods= settings to VALUE_WHAT_IT_WAS_BEFORE.) Note than however way you slice it, the mapping between Kerberos principal and user id has to be unique (and if different methods have different principals, the first one wins!), so that you can always only map a user to a single principal. (I therefore favor just using username@REALM because it makes life hell of a lot easier in the long run. But it's up to you.) Christian
signature.asc
Description: OpenPGP digital signature
