Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.kernel > #50186

Bug#753732: NFS sec=krb5 does not work with cross-realm

From Arne Nordmark <nordmark@mech.kth.se>
Newsgroups linux.debian.bugs.dist, linux.debian.kernel
Subject Bug#753732: NFS sec=krb5 does not work with cross-realm
Date 2015-07-13 08:10 +0200
Message-ID <pLF69-1vh-9@gated-at.bofh.it> (permalink)
References <nAcOB-12U-9@gated-at.bofh.it> <nAcOB-12U-9@gated-at.bofh.it>
Organization KTH/Mekanik

Cross-posted to 2 groups.

Show all headers | View raw

On Fri, 04 Jul 2014 16:36:12 +0200 Jaap Winius <jwinius@umrk.nl> wrote:
> Package: nfs-common
> Version: 1.2.6-4
> 
> NFS with sec=krb5i or sec=krb5p using MIT Kerberos does not work when  
> cross-realm authentication is used -- only when clients have an  
> Kerberos ticket for the same realm. This happens consistently and in  
> cases when cross-realm authentication does work with other services on  
> the same machine, such as SSH.
> 

...

> The second set involves a user account with the same name, jwinius,  
> but with a Kerberos ticket from a different, albeit trusted realm:  
> UMRK.NL. This always results in an authentication failure:

...

> The user experience ends with a "Permission denied" message, although  
> the client does receive a Kerberos service ticket despite the failure.  
> The rpc.idmapd daemon seems to translate the jwinius@UMRK.NL account  
> to "jwinius@dapadam.nl" with user ID 10000. In some situations this  
> might be incorrect, but here it's okay because both accounts belong to  
> the same person.
> 
> When authentication fails, the only evidence that I can see for this  
> in the server's log output is in the fifth line shown:  
> "nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND". Apparently,  
> the local Kerberos KDC is not interrogated and the trust entry for the  
> UMRK.NL realm is never discovered.

You have not included the content of /etc/idmapd.conf.

There are several options for translating principals, and if user names
are the same in both realms a simple line like

Local-Realms: DAPADAM.NL, UMRK.NL

might do it.

Arne Nordmark


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Back to linux.debian.kernel | Previous | Next | Find similar | Unroll thread

Thread

Bug#753732: NFS sec=krb5 does not work with cross-realm Arne Nordmark <nordmark@mech.kth.se> - 2015-07-13 08:10 +0200

csiph-web