NFSv4, Kerberos and daily
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 28 Jan 2024 19:37:48 UTC
hello, i have a system running FreeBSD 15.0 which has an NFS mount at /data/public from another FreeBSD system running 14.0: hemlock.eden.le-fay.org:/public /data/public nfs rw,nfsv4,minorversion=2,sec=krb5p,gssname=host,bgnow,proto=tcp6,rsize=1048576,wsize=1048576,noncontigwr 0 0 every day, i get an email like this from periodic: > Security check: > > Checking setuid files and devices: > find: /data/public: Input/output error the problem seems to be caused by the fact that periodic runs as root, so find(1) can't stat(2) the filesystem mounted on /data/public to discover it's on a different device: # stat /data/public NFSv4 error WrongSec: You probably need a Kerberos TGT stat: /data/public: Input/output error so my question is: - is there a way to make root's accesses to Kerberized NFS mounts use the host ticket? - is there a way to make the NFS server honour this and map the host ticket to the 'nobody' user (or something like that)?