Hello! I do apologise if the following is confusing.
I have a question regarding Kerberos NFS shares on our Netapps which are mounted on Linux ( RHEL78 ) in a Windows AD environment.
This all worked well and was surprisingly easy to setup. A user logins into a Windows desktop then they ssh to a Linux system which has various nfs mounts using sec=krb5 of our Netapp ( Ontap 9.7 ). The Kerberos ticket which is issued on the windows desktop is forward to the Linux server which allows login and access to the mounted NFS share ( using Kerberos )
The only issue we have is when we add k5login into the mix. I should add that when the NFS file systems use sec=sys k5login also works perfectly, so the issue is only when we have k5login + sec=krb5 ( or better ).
As you know, k5login could allow user A ( with principle A ) to login to the server as user B. The ticket is forwarded so when they ( A ) log in as B and do a klist on the server they will see the principle listed for A.
The issue is then the Netapp seems to treat the user as being user A and not user B. This is not unsurprising since user B has the ticket for A.
Given this, is there any way that the Netapp can be told to respect the k5login file and to allow user A the access normally afforded to user B?
I have also looked at user mapping on the Netapp, and there I can map user A -> B, which does work. But I need a way of allowing both A and B access as there respective users. Can anything else be done on the Netapp side? Perhaps I have missed something obvious that can be done on the Linux side?
To confuse my self further. If user B logs into the server as user B ( with all of the usual Kerberos goodness ), then disconnects. Then user A logs in as B, everything works as I would hope and full access is given. The Netapp treats B as the Native B user.
If I then clear the kerberos-context-cache then I am back to where I started and user B is given only the access rights of use A.
If you made it this far I appreciate your time! If I can provide anything more ( or try and clarify anything I have said, ) let me know
Warren