https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159824#M36508 <P>Thank you&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/11621">@parisi</a>&nbsp;for your time.</P> Wed, 30 Sep 2020 13:56:16 GMT Warren_B 2020-09-30T13:56:16Z https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159757#M36496 <P>Hello! I do apologise if the following is confusing. </P> <P>&nbsp;</P> <P>I have a question regarding Kerberos NFS shares on our Netapps which are mounted on Linux ( RHEL78 ) in a Windows AD environment.</P> <P>&nbsp;</P> <P>This all worked well and was surprisingly easy to setup. A user logins into a Windows desktop then they ssh to a Linux system which has various nfs mounts using sec=krb5 of our Netapp ( Ontap 9.7 ). The Kerberos ticket which is issued on the windows desktop is forward to the Linux server which allows login and access to the mounted NFS share ( using Kerberos )</P> <P>&nbsp;</P> <P>The only issue we have is when we add k5login into the mix. I should add that when the NFS file systems use sec=sys k5login also works perfectly, so the issue is only when we have k5login + sec=krb5 ( or better ).</P> <P>As you know, k5login could allow user A ( with principle A ) to login to the server as user B. The ticket is forwarded so when they ( A ) log in as B and do a klist on the server they will see the principle listed for A.</P> <P>&nbsp;</P> <P>The issue is then the Netapp seems to treat the user as being user A and not user B. This is not unsurprising since user B has the ticket for A.</P> <P>&nbsp;</P> <P>Given this, is there any way that the Netapp can be told to respect the k5login file and to allow user A the access normally afforded to user B?</P> <P>&nbsp;</P> <P>I have also looked at user mapping on the Netapp, and there I can map user A -&gt; B, which does work. But I need a way of allowing both A and B access as there respective users. Can anything else be done on the Netapp side? Perhaps I have missed something obvious that can be done on the Linux side?</P> <P>&nbsp;</P> <P>To confuse my self further. If user B logs into the server as user B ( with all of the usual Kerberos goodness ), then disconnects. Then user A logs in as B, everything works as I would hope and full access is given. The Netapp treats B as the Native B user.</P> <P>If I then clear the kerberos-context-cache then I am back to where I started and user B is given only the access rights of use A.</P> <P>&nbsp;</P> <P>If you made it this far I appreciate your time! If I can provide anything more ( or try and clarify anything I have said, ) let me know</P> <P>&nbsp;</P> <P>Warren</P> Wed, 04 Jun 2025 10:52:09 GMT https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159757#M36496 Warren_B 2025-06-04T10:52:09Z https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159787#M36502 <P>I don't think there's any way around this from the NetApp side, as we cache the ticket and name mapping.&nbsp;</P> <P>&nbsp;</P> <P>You could flush the caches as you have done, but there's no way to map a user to multiple users.</P> Tue, 29 Sep 2020 13:28:56 GMT https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159787#M36502 parisi 2020-09-29T13:28:56Z https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159824#M36508 <P>Thank you&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/11621">@parisi</a>&nbsp;for your time.</P> Wed, 30 Sep 2020 13:56:16 GMT https://community.netapp.com/t5/ONTAP-Discussions/Help-with-Kerberos-NFS-and-k5login/m-p/159824#M36508 Warren_B 2020-09-30T13:56:16Z