SV: SV: pkinit and nfs

Martinsson Patrik patrik.martinsson at smhi.se
Mon Oct 17 04:42:47 EDT 2011 

Yes, this is definitely a reason why it should. 

The krb5-auth-dialog is using gconf as a separate config-source, which makes it possible to use PKCS11:path-to-smartcardlib for only that application. 
So basically I've got pam and krb5-auth-dialog using the correct pkinit_identites-option, and with kinit we manually have to specify it with the -X option.

/Patrik



-----Ursprungligt meddelande-----
Från: Douglas E. Engert [mailto:deengert at anl.gov] 
Skickat: den 14 oktober 2011 20:31
Till: Martinsson Patrik
Kopia: kerberos at mit.edu
Ämne: Re: SV: pkinit and nfs



On 10/14/2011 11:54 AM, Martinsson Patrik wrote:
> Hi Douglas,
>
> Thanks a bunch for the suggestion, i thought i tried it before, but 
> with no success. However I thought I would give it one more try, so I 
> added,
>
> preauth_options = X509_user_identity=PKCS11:/usr/lib/libiidp11.so
>
> to our appdefaults-pam-secition and it worked like a charm.
>
>
> I tried to do the same with an kinit-specific-section, but that didn't work. Im not sure how kinit reads the options, if I manually add "-X X509_user_identity=PKCS11:/usr/lib/libiidp11.so" to the commandline, it works as expected. I wonder though if its possible to make kinit work with options from the appdefaults-kinit-section, and if it is, how they should look in the configfile. Anyone knows this, or where I can find documentation about how kinit read options ?
>

Looks like kinit.c does not use the krb5_appsdefault() to get additional options, This is a good case for why it should.

> To get pam working is kind of enough though, if the user specifically need to run kinit, he/she can add the option manually.
>
>
> /Patrik
>
>
>
> -----Ursprungligt meddelande-----
> Från: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] För 
> Douglas E. Engert
> Skickat: den 14 oktober 2011 17:26
> Till: kerberos at mit.edu
> Ämne: Re: pkinit and nfs
>
>
>
> On 10/14/2011 3:56 AM, Martinsson Patrik wrote:
>> Hi everybody,
>>
>> We use pkinit and smartcard authentication at our company, we have 
>> configured it as follows,
>>
>> =
>> /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = FOO.AD
>> clockskew = 300
>> forwardable = true
>> allow_weak_crypto     = true
>>
>> # Pkinit options
>> pkinit_identities   = PKCS11:/usr/lib/libiidp11.so
>> pkinit_anchors      = FILE:/etc/openldap/cacerts/ROOTCA.cer
>> pkinit_anchors      = FILE:/etc/openldap/cacerts/ISSUING.cer
>> pkinit_kdc_hostname = server.ad.foo
>> pkinit_eku_checking = kpServerAuth
>> pkinit_cert_match   = matchingrule
>> =
>>
>> The above config works as excepted.
>>
>> However, if we try to mount nfs with kerberos, with for example 
>> following command, mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ the 
>> rpc.gssd segfault's, and if you look in the log for it you will see,
>>
>> --
>> No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD>   E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
>> No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
>> Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
>> Segmentation fault
>> --
>>
>>
>> If we remove the pkinit-options, the mount works like expected and 
>> you will see something like this in the log for rpc.gssd,
>>
>> --
>> No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD>   E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
>> No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
>> Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
>> Successfully obtained machine credentials for principal 'nfs/xyz.foo.ad at FOO.AD' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD'
>
>
> You may want to try and move the pkinit_identities to an appdefault section in the krb5.conf, for pam  or kinit or other application that can use pkinit.
>
>> --
>>
>>
>> So, basically my question is,
>>
>> How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used.
>>
>> Am I missing something ?
>>
>> Any hints are more then welcome.
>> We are using RHEL 6.1 btw.
>>
>> Best regards,
>> Patrik Martinsson, Sweden.
>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list