ONTAP Discussions

Highlighted

Help with Kerberos / NFS and k5login

Hello! I do apologise if the following is confusing.

 

I have a question regarding Kerberos NFS shares on our Netapps which are mounted on Linux ( RHEL78 ) in a Windows AD environment.

 

This all worked well and was surprisingly easy to setup. A user logins into a Windows desktop then they ssh to a Linux system which has various nfs mounts using sec=krb5 of our Netapp ( Ontap 9.7 ). The Kerberos ticket which is issued on the windows desktop is forward to the Linux server which allows login and access to the mounted NFS share ( using Kerberos )

 

The only issue we have is when we add k5login into the mix. I should add that when the NFS file systems use sec=sys k5login also works perfectly, so the issue is only when we have k5login + sec=krb5 ( or better ).

As you know, k5login could allow user A ( with principle A ) to login to the server as user B. The ticket is forwarded so when they ( A ) log in as B and do a klist on the server they will see the principle listed for A.

 

The issue is then the Netapp seems to treat the user as being user A and not user B. This is not unsurprising since user B has the ticket for A.

 

Given this, is there any way that the Netapp can be told to respect the k5login file and to allow user A the access normally afforded to user B?

 

I have also looked at user mapping on the Netapp, and there I can map user A -> B, which does work. But I need a way of allowing both A and B access as there respective users. Can anything else be done on the Netapp side? Perhaps I have missed something obvious that can be done on the Linux side?

 

To confuse my self further. If user B logs into the server as user B ( with all of the usual Kerberos goodness ), then disconnects. Then user A logs in as B, everything works as I would hope and full access is given. The Netapp treats B as the Native B user.

If I then clear the kerberos-context-cache then I am back to where I started and user B is given only the access rights of use A.

 

If you made it this far I appreciate your time! If I can provide anything more ( or try and clarify anything I have said, ) let me know

 

Warren

2 REPLIES 2
Highlighted

Re: Help with Kerberos / NFS and k5login

I don't think there's any way around this from the NetApp side, as we cache the ticket and name mapping. 

 

You could flush the caches as you have done, but there's no way to map a user to multiple users.

View solution in original post

Highlighted

Re: Help with Kerberos / NFS and k5login

Thank you @parisi for your time.

Check out the KB!
Knowledge Base
All Community Forums