[36053] in Kerberos
Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Apr 15 17:49:33 2014
Date: Tue, 15 Apr 2014 16:48:49 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20140415214849.GA28700@oracle.com>
Mail-Followup-To: Nico Williams <nico@cryptonector.com>,
Simo Sorce <simo@redhat.com>, "kerberos@mit.edu" <kerberos@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAK3OfOjGiWOpVSDgA4ZvjiTh1iuv0ZSr3Bv0U+3gnJA42=bDtA@mail.gmail.com>
Cc: Simo Sorce <simo@redhat.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 15, 2014 at 02:34:11PM -0500, Nico Williams wrote:
> On Tue, Apr 15, 2014 at 2:22 PM, Will Fiveash <will.fiveash@oracle.com> wrote:
> > But if this is a work laptop, which is typically a single user system
> > and operates as a client in various contexts, requiring IT provision it
> > with a keytab seems onerous to me. Note that a Solaris NFS v3 client
> > does not require root have a krb cred to operation, even when
> > automounting -- it only requires the user that triggered the automount
> > have a krb cred.
>
> What should happen is that there should be a way to enroll a device.
If a keytab is really needed. On the otherhand, if a laptop is only
acting as a client then why bother? Assuming the logged-in user has a
way of acquiring their krb cred that's all they should need if the
laptop is acting as a NFS, ssh or any other client that tries to do
gss/krb auth.
--
Will Fiveash
Oracle Solaris Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
