Creating files as root on krb5-secured NFS

Updated -

When you create files as root on the NFS share, the files are written with the nfsnobody (on RHEL 7) or nobody (on RHEL 8) user and group by default. This happens because only the users with active Kerberos tickets can access their files when you are using a Kerberos-secured NFS mount. This includes the root user because root is not treated as a special case by Kerberos.

This procedure adds back that functionality by mapping the client's host ticket to the server's superuser account, making superuser access available to any process that can access that host ticket. As a result, the NFS server keeps the root user and group on these files.

Warning: This procedure is not recommended as a general practice and should be used only when you absolutely require this specific behavior. It potentially weakens security by effectively mapping an unauthenticated local root user from the client into the superuser of the NFS server.

To improve the security, this procedure enables root access only for a single named host, such as nfsclient.example.com.

Prerequisites

  • The NFS export is secured with the sec=krb5 option.

Procedure

  1. In the /etc/exportfs file on the NFS server host, add the no_root_squash option to the export configuration. For example:

    /root nfsclient.example.com(rw,no_root_squash)
    
  2. On the NFS server host, add the following to the /etc/krb5.conf file:

    [realms]
    …
    EXAMPLE.COM = {
    …
    auth_to_local = RULE:[2:$1/$2@$0](host/nfsclient.example.com@EXAMPLE.COM)s/.*/root/
    auth_to_local = DEFAULT
    }
    

    Optionally, you can add additional auth_to_local = RULE:… lines, but the auth_to_local = DEFAULT line must always be last.