NFS shared directory permission (rhel6)

[夜神 岩男]

On 08/03/2011 02:05 AM, Tom H wrote:

> NFSv4 works without Kerberos or LDAP/NIS/NIS+.

Of course it does, but can the permissions be exported per user by 
UID/GID mask or are the exports still blanket ro/rw (which is the real 
point of this thread)? Further, can you escape from the nfs_mount_t 
context and give native SELinux contexts to the export on the client 
side with this setup?

(That would be really cooking from one perspective, but also pretty 
insecure without authentication -- which is why I had always been under 
the impression that this was specifically forbidden.)

> The username and idmapd domain have to match (perhaps the UID too but
> I've never tried different UIDs as you suggest above and the
> description of idmapd does say that the ID is sent as
> username at domain).

That would be neat.

Can you direct me to a sample idmapd configuration that achieves this: 
rpc.idmapd + hostname-declared domains that are common (does DNS need to 
be enabled for this?) + /etc/passwd and /etc/group files + NFSv4 UIDs 
and GIDs accurately mapped for permissions across exports (not just ro 
or blanket rw).

It could fill in some holes and perhaps I've just never been able to 
find the right way to make idmapd domains stick with SELinux enabled 
without using some form of authentication. Is sssd or nslcd or nscd 
required somewhere in there, or do these just satisfy Kerberos requirements?

If I can get a configuration like this working it would help the OP in 
the short run, and provide more insight for the tutorial I want to write.

-Iwao