Creating files as root on krb5-secured NFS
When you create files as root on the NFS share, the files are written with the nfsnobody
(on RHEL 7) or nobody
(on RHEL 8) user and group by default. This happens because only the users with active Kerberos tickets can access their files when you are using a Kerberos-secured NFS mount. This includes the root user because root is not treated as a special case by Kerberos.
This procedure adds back that functionality by mapping the client's host ticket to the server's superuser account, making superuser access available to any process that can access that host ticket. As a result, the NFS server keeps the root
user and group on these files.
Warning: This procedure is not recommended as a general practice and should be used only when you absolutely require this specific behavior. It potentially weakens security by effectively mapping an unauthenticated local root user from the client into the superuser of the NFS server.
To improve the security, this procedure enables root access only for a single named host, such as nfsclient.example.com
.
Prerequisites
- The NFS export is secured with the
sec=krb5
option.
Procedure
-
In the
/etc/exportfs
file on the NFS server host, add theno_root_squash
option to the export configuration. For example:/root nfsclient.example.com(rw,no_root_squash)
-
On the NFS server host, add the following to the
/etc/krb5.conf
file:[realms] … EXAMPLE.COM = { … auth_to_local = RULE:[2:$1/$2@$0](host/nfsclient.example.com@EXAMPLE.COM)s/.*/root/ auth_to_local = DEFAULT }
Optionally, you can add additional
auth_to_local = RULE:…
lines, but theauth_to_local = DEFAULT
line must always be last.
Comments