nfs4 and kerberos: how does it even work?

M

mayorovp2012-02-07 14:05:02

linux

mayorovp, 2012-02-07 14:05:02

On the Internet, I found a bunch of all sorts of how-to for different distributions, but for some reason I could not find how this bundle works at all.

On whose behalf is the nfs client authorized on the nfs server? On behalf of the computer or on behalf of the user?

How is this name checked by the server? Where to set permissions? If chmod, how, again, do uid, gid, and kerberos accounts relate?

Something begins to haunt me with the feeling that with the support of kerberos I was deceived ...

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

DmZ, 2012-02-09
@DmZ

Maybe they read bad how-to? Here it is very well written: NFS4Howto
Kerberos is used for user authentication (valid or not), and for authorization (permises on files) standard nfs4 tools (idmapd) are used.
In the case without kerberos, the user is authenticated by the local system (PAM for example). Those. any local user who has authorization (permishines on files) can use the NFS share. In the case of kerberos, it is not enough for the user to have a local login - in order to use the share, he must have a valid ticket, and the corresponding permissions on the files.
How kerberos "accounts" are related depends on HOW the authentication system is configured. Kerberos is not responsible for authorization in this case - only for authentication.
For example, if Kerberos + LDAP + PAM - then the user's uid / gid can be transferred from LDAP, respectively. it will be the same everywhere.
If there is no central storage of users, then you need to resolve it through id mapping in nfs.