Date: Sun, 28 Jan 2024 19:37:48 +0000 From: Lexi Winter <lexi@le-fay.org> To: freebsd-questions@freebsd.org Subject: NFSv4, Kerberos and daily Message-ID: <ZbatDPk2InCmTFZw@ilythia.eden.le-fay.org>
next in thread | raw e-mail | index | archive | help
--R/NuSNXwb1PN/NHC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline hello, i have a system running FreeBSD 15.0 which has an NFS mount at /data/public from another FreeBSD system running 14.0: hemlock.eden.le-fay.org:/public /data/public nfs rw,nfsv4,minorversion=2,sec=krb5p,gssname=host,bgnow,proto=tcp6,rsize=1048576,wsize=1048576,noncontigwr 0 0 every day, i get an email like this from periodic: > Security check: > > Checking setuid files and devices: > find: /data/public: Input/output error the problem seems to be caused by the fact that periodic runs as root, so find(1) can't stat(2) the filesystem mounted on /data/public to discover it's on a different device: # stat /data/public NFSv4 error WrongSec: You probably need a Kerberos TGT stat: /data/public: Input/output error so my question is: - is there a way to make root's accesses to Kerberized NFS mounts use the host ticket? - is there a way to make the NFS server honour this and map the host ticket to the 'nobody' user (or something like that)? --R/NuSNXwb1PN/NHC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmW2rQkACgkQDHqbqZ41 x5njmAv8DdOgQwQQVaE+92GlOzAliaeuVH9SB7nMgEPTtsqsNJzlP+GIqmSWgMps rYldOMt+8O3Bh16hTMlM67bF7Qd/5zml+WVBmH9KweVW2NnfoqSf2nB83ZMEY+jO RjDNZa6SaWXQnFJ/X7H/ceLBxWOCtcpwQjqEaFeBd7gCNSNGpJ8DsfaVrpeqMEK5 htAP9AjEE+A0l04dtPe5U4bGfX7ZS+B2tRfwFxeQ1smSUzF8EZRWPG713Hleb813 9M0U+Prq5w++X9JoKdLAnDL3vu6/Cm2yDg78Xh8B5tGgQp+uuVSmO1/rEQ62bfhn FFSjIco6bMPt/4r9y2fZw6ATQCFQx/RLfSnPu9iRzfx/bl3IlUa0A465KVlhxO+L jc641kl2xCqsBY398oxrBGAoOVkKY5ma3WCqtH6DgX4mrdQq3uLs1E5/1A7UQuxO 9FuPAOqs6Phidk4fIuM8bD0xy++yvOTAdvgh73nd+2+Ryj+BAWJnrSUamqq0iH4x WReppzei =19ew -----END PGP SIGNATURE----- --R/NuSNXwb1PN/NHC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZbatDPk2InCmTFZw>