NFSv4, Kerberos and daily

From: Lexi Winter <lexi_at_le-fay.org>
Date: Sun, 28 Jan 2024 19:37:48 UTC
hello,

i have a system running FreeBSD 15.0 which has an NFS mount at
/data/public from another FreeBSD system running 14.0:

hemlock.eden.le-fay.org:/public	/data/public	nfs	rw,nfsv4,minorversion=2,sec=krb5p,gssname=host,bgnow,proto=tcp6,rsize=1048576,wsize=1048576,noncontigwr	0 0

every day, i get an email like this from periodic:

> Security check:
>
> Checking setuid files and devices:
> find: /data/public: Input/output error

the problem seems to be caused by the fact that periodic runs as root,
so find(1) can't stat(2) the filesystem mounted on /data/public to
discover it's on a different device:

# stat /data/public
NFSv4 error WrongSec: You probably need a Kerberos TGT
stat: /data/public: Input/output error

so my question is:

- is there a way to make root's accesses to Kerberized NFS mounts use
  the host ticket?

- is there a way to make the NFS server honour this and map the host
  ticket to the 'nobody' user (or something like that)?