SpaceBass
Cadet
- Joined
- Jul 4, 2023
- Messages
- 5
hey folks, I could use some help thinking this through.
TL;DR - can I mount an NFSv4 with KRB5 sec at boot? Will the mounting user have a ticket? How do you handle the auto mounting of KRB5 mounts?
I have some servers where particular services run as a domain user. On the FreeBSD boxes it is as simple as changing the rc.d scripts to the right user or adding a user line to rc.conf. On Ubuntu servers I change the systemd files.
I'm trying to deploy a new NFSv4 export to those servers. In Core the ACLs on the dataset allow domain/userABC and domain/group123 full RW.
On the clients, for example, I have /mnt/newexport and newexport is owned by userABC:group123
This export needs to be mounted at boot in order to be accessible to the services that will use it.
If I test on a MacOS client it works. I get a ticket as user123 and I can mount, read, and write to the export.
But on Ubuntu, as user123 with a ticket, I get errors:
Before I start trying to solve that issue.... is this a failed idea? At boot, won't fstab entries be mounted as root? And if so, root won't have a ticket. So won't the mount fail? I guess I could specify the user id in the mount, but still the user won't have a ticket.
I'd love some help thinking this through. I'd like to do better than host specific IP restrictions on the export.
TL;DR - can I mount an NFSv4 with KRB5 sec at boot? Will the mounting user have a ticket? How do you handle the auto mounting of KRB5 mounts?
big picture: I have some servers where particular services run as a domain user. On the FreeBSD boxes it is as simple as changing the rc.d scripts to the right user or adding a user line to rc.conf. On Ubuntu servers I change the systemd files.
I'm trying to deploy a new NFSv4 export to those servers. In Core the ACLs on the dataset allow domain/userABC and domain/group123 full RW.
On the clients, for example, I have /mnt/newexport and newexport is owned by userABC:group123
This export needs to be mounted at boot in order to be accessible to the services that will use it.
If I test on a MacOS client it works. I get a ticket as user123 and I can mount, read, and write to the export.
But on Ubuntu, as user123 with a ticket, I get errors:
mount.nfs4: failed to apply fstab optionsBefore I start trying to solve that issue.... is this a failed idea? At boot, won't fstab entries be mounted as root? And if so, root won't have a ticket. So won't the mount fail? I guess I could specify the user id in the mount, but still the user won't have a ticket.
I'd love some help thinking this through. I'd like to do better than host specific IP restrictions on the export.
