Fw: SSO with telnet/rlogin/rsh

Ido Levy IDOL at il.ibm.com
Mon Jan 28 06:10:56 EST 2008


Hello,

We are trying to compile nfs-utils-1.0.11 on RHEL 5.1 and get the following
error:

configure: error: Unable to locate information required to use
librpcsecgss.  If you have pkgconfig installed, you might try setting
environment variable PKG_CONFIG_PATH to /usr/local/lib/pkgconfig

We have pkgconfig RPM, pkgconfig-0.21-1.fc6, installed and contain the
following files:
/usr/bin/pkg-config
/usr/lib/pkgconfig
/usr/share/aclocal/pkg.m4
/usr/share/man/man1/pkg-config.1.gz

We try to set PKG_CONFIG_PATH to /usr/lib/pkgconfig but it doesn't help the
same error appears again.

Any advice would be appreciated

Thanks,

Ido Levy



                                                                           
             "Kevin Coffman"                                               
             <kwc at citi.umich.e                                             
             du>                                                        To 
             Sent by:                  Ido Levy/Haifa/IBM at IBMIL            
             kwcoffman at gmail.c                                          cc 
             om                        kerberos at mit.edu, Olga              
                                       Dodin/Haifa/IBM at IBMIL               
                                                                   Subject 
             01/15/2008 06:05          Re: Fw: SSO with telnet/rlogin/rsh  
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




The latest versions of rpc.gssd look at file ownership rather than the
name.  (It does narrow the field by looking for "krb5cc_*", then
looking at file ownership.)  This change went into nfs-utils-1.0.11.

Unfortunately, gssd has no access to the user's environment variables
and cannot use that to determine the credentials cache file to use
when creating a context.

K.C.

On Jan 15, 2008 9:53 AM, Ido Levy <IDOL at il.ibm.com> wrote:
>
> We did a dipper investigation of this issue and found out that the
> difference between sshd and telnetd is in the user credential cache file
> name.
> While ssh to the machine the credential cache file name is composed using
> the numeric uid of the user like /tmp/krb5cc_XXXX. On the other hand
while
> telnet to the machine the credential cache file name is composed using
the
> telnet process number.
> As a result rpc.gssd is unable to find the credential cache file for the
> user since it tries to look for the files having the numeric uid as part
of
> their name.
>
> In the /tmp directory the following file was created:
>
>       ls -ltr /tmp/krb5cc_*
>       -rw------- 1 user_name bin 431 Jan 15 16:41 /tmp/krb5cc_p3715
>
> Note that 3715 is the pid of the telnet process.
>
> Following is the output of the rpc.gssd daemon when we use telnet to
enter
> the machine:
>
> xinetd[3713]: START: telnet pid=3715 from=x.xxx.xx.xx
> rpc.gssd[1934]: handling krb5 upcall
> rpc.gssd[1934]: Using keytab file '/etc/krb5.keytab'
> rpc.gssd[1934]: INFO: Credentials in CC
'MEMORY:/tmp/krb5cc_machine_REALM'
> are good until 1200491925
> rpc.gssd[1934]: using MEMORY:/tmp/krb5cc_machine_REALM as credentials
cache
> for machine creds
> rpc.gssd[1934]: using environment variable to select krb5 ccache
> MEMORY:/tmp/krb5cc_machine_REALM
> rpc.gssd[1934]: creating context using fsuid 0 (save_uid 0)
> rpc.gssd[1934]: creating tcp client for server nfs_server.domain
> rpc.gssd[1934]: creating context with server nfs at nfs_server.domain
> rpc.gssd[1934]: DEBUG: serialize_krb5_ctx: lucid version!
> rpc.gssd[1934]: prepare_krb5_rfc1964_buffer: serializing keys with
enctype
> 4 and length 8
> rpc.gssd[1934]: doing downcall
> rpc.gssd[1934]: handling krb5 upcall
> rpc.gssd[1934]: getting credentials for client with uid XXXX for server
> nfs_server.domain
> rpc.gssd[1934]: using FILE:/tmp/krb5cc_XXXX as credentials cache for
client
> with uid XXXX for server nfs_server.domain
> rpc.gssd[1934]: using environment variable to select krb5 ccache
> FILE:/tmp/krb5cc_XXXX
> rpc.gssd[1934]: creating context using fsuid XXXX (save_uid 0)
> rpc.gssd[1934]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified
> GSS failure.  Minor code may provide more information - No credentials
> cache found
> rpc.gssd[1934]: WARNING: Failed while limiting krb5 encryption types for
> user with uid XXXX
> rpc.gssd[1934]: WARNING: Failed to create krb5 context for user with uid
> XXXX for server nfs_server.domain
> rpc.gssd[1934]: doing error downcall
>
>
> Ido & Olga
>
>              Ido
>              Levy/Haifa/IBM
>
To
>              01/07/2008              kerberos at mit.edu
>              11:08 PM
cc
>
>
Subject
>                                      SSO with telnet/rlogin/rsh
>
>
>
>
>
>
>
>
>
> Hello,
>
> I am trying to set up SSO in a Linux environment which has the following
> components up and running:.
>
>       Kerberos 5
>       LDAP
>       Kerberized NFSv4 ( security flavor krb5 )
>       Automount
>
> When using ssh everything works fine, tickets ( for both user and nfs )
are
> forward and when the user login to a machine both tickets are set.
> Unfortunately when using telnet/rlogin/rsh ( the ones that shipped with
> krb5-workstation ) the user login to the machine
> but fails to cd to his home directory which is automounted using
kerberized
> ( kerberos 5 ) NFSv4.
> When issuing 'klist -5' just the user principal is presented and not the
> NFS principal.
>
> Does anyone successfully set SSO with telnet/rlogin/rsh in a kerberized
> NFSv4 environment when using automount.
>
> Thanks,
>
> Ido Levy
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>





More information about the Kerberos mailing list