SV: pkinit and nfs

Douglas E. Engert deengert at anl.gov
Fri Oct 14 14:30:54 EDT 2011



On 10/14/2011 11:54 AM, Martinsson Patrik wrote:
> Hi Douglas,
>
> Thanks a bunch for the suggestion, i thought i tried it before, but with no success. However I thought I would give it one more try, so I added,
>
> preauth_options = X509_user_identity=PKCS11:/usr/lib/libiidp11.so
>
> to our appdefaults-pam-secition and it worked like a charm.
>
>
> I tried to do the same with an kinit-specific-section, but that didn't work. Im not sure how kinit reads the options, if I manually add "-X X509_user_identity=PKCS11:/usr/lib/libiidp11.so" to the commandline, it works as expected. I wonder though if its possible to make kinit work with options from the appdefaults-kinit-section, and if it is, how they should look in the configfile. Anyone knows this, or where I can find documentation about how kinit read options ?
>

Looks like kinit.c does not use the krb5_appsdefault() to get additional options,
This is a good case for why it should.

> To get pam working is kind of enough though, if the user specifically need to run kinit, he/she can add the option manually.
>
>
> /Patrik
>
>
>
> -----Ursprungligt meddelande-----
> Från: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] För Douglas E. Engert
> Skickat: den 14 oktober 2011 17:26
> Till: kerberos at mit.edu
> Ämne: Re: pkinit and nfs
>
>
>
> On 10/14/2011 3:56 AM, Martinsson Patrik wrote:
>> Hi everybody,
>>
>> We use pkinit and smartcard authentication at our company, we have
>> configured it as follows,
>>
>> =
>> /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = FOO.AD
>> clockskew = 300
>> forwardable = true
>> allow_weak_crypto     = true
>>
>> # Pkinit options
>> pkinit_identities   = PKCS11:/usr/lib/libiidp11.so
>> pkinit_anchors      = FILE:/etc/openldap/cacerts/ROOTCA.cer
>> pkinit_anchors      = FILE:/etc/openldap/cacerts/ISSUING.cer
>> pkinit_kdc_hostname = server.ad.foo
>> pkinit_eku_checking = kpServerAuth
>> pkinit_cert_match   = matchingrule
>> =
>>
>> The above config works as excepted.
>>
>> However, if we try to mount nfs with kerberos, with for example
>> following command, mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ the
>> rpc.gssd segfault's, and if you look in the log for it you will see,
>>
>> --
>> No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD>   E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
>> No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
>> Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
>> Segmentation fault
>> --
>>
>>
>> If we remove the pkinit-options, the mount works like expected and you
>> will see something like this in the log for rpc.gssd,
>>
>> --
>> No key table entry found for XYZ$@FOO.AD<mailto:XYZ$@FOO.AD>   E while getting keytab entry for 'XYZ.FOO.AD $@FOO.AD'
>> No key table entry found for root/xyz.foo.ad at FOO.AD while getting keytab entry for 'root/foo.ad at FOO.AD'
>> Success getting keytab entry for 'nfs/xyz.foo.ad at FOO.AD'
>> Successfully obtained machine credentials for principal 'nfs/xyz.foo.ad at FOO.AD' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD'
>
>
> You may want to try and move the pkinit_identities to an appdefault section in the krb5.conf, for pam  or kinit or other application that can use pkinit.
>
>> --
>>
>>
>> So, basically my question is,
>>
>> How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used.
>>
>> Am I missing something ?
>>
>> Any hints are more then welcome.
>> We are using RHEL 6.1 btw.
>>
>> Best regards,
>> Patrik Martinsson, Sweden.
>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list