3.2.12

nfs keytabs: The Whole Truth

OK guys. It's official. The news you've all been waiting for. You don't need nfs/client.domain entries in the client keytab. It's oh so obvious when you look at the oh so clear Linux documentation.

Here is the horses mouth, disguised as the sssd mailing list. Thanks Timo.

[SSSD] sssd and kerberos.
Timo Aaltonen tjaalton at cc.hut.fi 
Thu Aug 5 15:25:48 UTC 2010
Previous message: [SSSD] sssd and kerberos.
Next message: [SSSD] sssd and kerberos.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 5 Aug 2010, Patrik Martinsson wrote:
> Hey,
>
> I got this working today with these settings,
>
> ldap_uri = ldap://foo.bar
> ldap_sasl_mech = gssapi
> ldap_krb5_keytab = /etc/krb5.keytab
> ldap_sasl_authid = nfs/xx.xxxx.xx
....
<snip>
Looks like you need kerberized NFS? See this patch that I made for 
nfs-utils:
http://users.tkk.fi/~tjaalton/0001-Check-for-AD-style-machine-principal-name.patch
still not accepted upstream, but I'm hoping for the best. With this you 
don't need to add "nfs/*" UPN:s, gssd will initialize and use HOSTNAME$ 
just fine.
Maybe a similar approach could be used with sssd, so there would be no 
need to specify the authid (which is different for every hostname)?
ps. still fighting with the installation.. so can't test the above and 
post logs just yet. Tomorrow, I promise :)
-- 
Timo Aaltonen
Systems Specialist, Aalto IT
Previous message: [SSSD] sssd and kerberos.
Next message: [SSSD] sssd and kerberos.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the sssd-devel mailing list


Confirmation from rpc.gsssd(8)
rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now:
<HOSTNAME>$@<REALM>root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
So now you know.