[36482] in Kerberos
Re: How to use NFS with multiple principals in different realms?
daemon@ATHENA.MIT.EDU (Cedric Blancher)
Wed Sep 17 16:46:50 2014
MIME-Version: 1.0
In-Reply-To: <20140917110528.130aeb7b@willson.usersys.redhat.com>
Date: Wed, 17 Sep 2014 22:30:29 +0200
Message-ID: <CALXu0UcQ9YGTLnrjs5+AmVstAWmZ1QcNqOVeYyE-b_ktbfqvjw@mail.gmail.com>
From: Cedric Blancher <cedric.blancher@gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: Jurjen Bokma <j.bokma@rug.nl>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
Steve Dickson <steved@redhat.com>, kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 17 September 2014 17:05, Simo Sorce <simo@redhat.com> wrote:
> On Wed, 17 Sep 2014 13:20:19 +0200
> Cedric Blancher <cedric.blancher@gmail.com> wrote:
>
>> What happens if there is no relation between KRB Realm names and
>> FQDN/DNS? Can the NFS client find out which KRB Realm is used by the
>> server?
>
> Depending on the environment you may have 1 or 2 ways.
>
> 1. add domain to realm mapping in the appropriate section in krb5.conf
> on the client.
> 2. allow the KDC to send back a referral (but not all clients will ask
> their own KDC, some can do only 1).
But how can 1. help? Sure I can have my own krb5.conf but AFAIK
rpc.gssd only looks at he system /etc/krb5.conf and not at any custom
user defined location. Basically mount(8) would have to pass the
location of the custom krb5.conf file to rpc.gssd to facilitate the
mount, right?
I *think* we have a bigger problem here: Kerberos5 support in NFS
appears to be designed around the philosophy of one realm per machine
(one-to-rule-them'-all) and not that a single user or machine has
mounts from many different realms, right?
Ced
--
Cedric Blancher <cedric.blancher@gmail.com>
Institute Pasteur
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
