gssapi / gssproxy

A proxy for GSSAPI | Docs at https://github.com/gssapi/gssproxy/tree/main/docs
Other
44 stars 28 forks source link

gssproxy breaks no_root_squash export option with knfsd #66

Open jtlayton opened 2 years ago

jtlayton commented 2 years ago

Trying to test krb5 NFS exports with the "no_root_squash" export option, but it's not working and any request from root on the client ends up getting squashed to nobody. The client defaults to using the machine credentials for the root account (nfs/@REALM).

The server kernel upcalls to gssproxy to ACCEPT_SEC_CONTEXT for the client's machine cred. It fails to match that to a local account on the server, and downcalls with the uid and gid set to -1. The kernel then just assumes that the account doesn't exist and maps it to "nobody".

I think for nfsd, we need for machine creds to be reported at uid=0/gid=0 and allow the kernel to decide whether to squash them or not. Is there an option for this already in gssproxy?

simo5 commented 2 years ago

Yes, you can map the machine keytab to root in krb5.conf auth_to_local facility.

Add somethign like this to the auth_to_local rules in the REALM section under [realms]:

RULE:[2:$1;$2](^host;my.keytab.hostname$)s/^.*$/root/

This would map a princiapl of host/my.keytab.hostname@MY.REALM to the user root.

simo5 commented 2 years ago

See auth_to_local diretive here: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/conf_files/krb5_conf.html#realms