AnsweredAssumed Answered

H-NAS Kerberos permissions issues.

Question asked by Bart Keys on Apr 15, 2018
Latest reply on Apr 17, 2018 by Bart Keys

We've set up kerberos authentication on the h-nas however once connected the users permissions don't appear to work.

 

Background:

I've turned numeric id's on  "pn all set nfsv4-names-are-numeric-ids true" as we needed this functionality,  to resolve this issue

"There are no errors seen on the client, but after running "chown" the desired changes do not take effect" https://knowledge.hds.com/Knowledge/Storage/Network%255FAttached%255FStorage/Hitachi%255FNAS%255FPlatform/Red%255FHat%25…

 

Kerberos is set up:

 

3090Qu-2[testevs2]:$ krb5-realm

Kerberos Realm: IPA.UNIMELB.EDU.AU

 

3090Qu-2[testevs2]:$ krb5-keytab list

Service Principal                                         Key Version Encryption Type

--------------------------------------------------------- ----------- ------------------------------

nfs/3090-q-testevs2.ipa.unimelb.edu.au@IPA.UNIMELB.EDU.AU           1           AES256: HMAC-SHA1-96

nfs/3090-q-testevs2.ipa.unimelb.edu.au@IPA.UNIMELB.EDU.AU           1           AES128: HMAC-SHA1-96

nfs/3090-q-testevs2.ipa.unimelb.edu.au@IPA.UNIMELB.EDU.AU           1                 DES3: CBC-SHA1

nfs/3090-q-testevs2.ipa.unimelb.edu.au@IPA.UNIMELB.EDU.AU           1                  RC4: HMAC-MD5

4 entries

3090Qu-2[testevs2]:$

 

 

The NAS share has the following access configuration:

*(sec=krb5:krb5i:krb5p)

 

And is mounted with what appear to be appropriate krb tokens.

 

9770v-999905-l$ whoami

testuser@unimelb.edu.au

 

9770v-999905-l$ klist

Ticket cache: FILE:/tmp/krb5cc_1388813135 Default principal: testuser@UNIMELB.EDU.AU

 

Valid starting Expires            Service principal

16/04/18 10:20:52 16/04/18 20:20:52  krbtgt/UNIMELB.EDU.AU@UNIMELB.EDU.AU

      renew until 17/04/18 10:20:49

16/04/18 10:20:54 16/04/18 20:20:52  krbtgt/IPA.UNIMELB.EDU.AU@UNIMELB.EDU.AU

      renew until 17/04/18 10:20:49

16/04/18 10:20:54 16/04/18 20:20:52  nfs/3090-q-testevs2.ipa.unimelb.edu.au@IPA.UNIMELB.EDU.AU

      renew until 17/04/18 10:20:49

 

9770v-999905-l$ mount | egrep mnt1

3090-q-testevs2.ipa.unimelb.edu.au:/testvv on /mnt1 type nfs4 (rw,relatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=172.25.176.72,local_lock=none,addr=172.25.177.2)

 

 

ISSUE: 

 

We can successfully mount the share on the server, but we are unable to create or modify files in the expected manner with a user account

 

 

9770v-999905-l$ pwd

/mnt1

 

9770v-999905-l$ touch foobar

touch: setting times of 'foobar': Permission denied

 

9770v-999905-l$ ls -l foobar

-rw-rw-r-- 1 root 4294967294 0 Apr 16 11:36 foobar

 

I would have expected that the file would have the uid/gid of the creating user, in this case "testuser"

 

Help would be greatly appreciated.

 

Thanks

Outcomes