pkinit and nfs

[Martinsson Patrik]

Hi everybody,

We use pkinit and smartcard authentication at our company, we have configured it as follows,

=
/etc/krb5.conf

[libdefaults]
default_realm = FOO.AD
clockskew = 300
forwardable = true
allow_weak_crypto     = true

# Pkinit options
pkinit_identities   = PKCS11:/usr/lib/libiidp11.so
pkinit_anchors      = FILE:/etc/openldap/cacerts/ROOTCA.cer
pkinit_anchors      = FILE:/etc/openldap/cacerts/ISSUING.cer
pkinit_kdc_hostname = server.ad.foo
pkinit_eku_checking = kpServerAuth
pkinit_cert_match   = matchingrule
=

The above config works as excepted.

However, if we try to mount nfs with kerberos, with for example following command,
mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/
the rpc.gssd segfault's, and if you look in the log for it you will see,

--
No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD> E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
Segmentation fault
--


If we remove the pkinit-options, the mount works like expected and you will see something like this in the log for rpc.gssd,

--
No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD> E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
Successfully obtained machine credentials for principal 'nfs/xyz.foo.ad at FOO.AD' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD'
--


So, basically my question is,

How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used.

Am I missing something ?

Any hints are more then welcome.
We are using RHEL 6.1 btw.

Best regards,
Patrik Martinsson, Sweden.