SV: pkinit and nfs

[Martinsson Patrik]

kinit -t /etc/krb5-k
kinit: Client not found in Kerberos database while getting initial credentials

And kinit -k without pkinit_identities in libdefaults,
kinit -k 'COMPUTERNAME$@FOO.AD'
gives me a valid tgt.

And kinit -k with pkinit_identities in libdefaults,
kinit -k 'COMPUTERNAME$@FOO.AD'
Segmentation fault

We are not using opsc as the smartcardprovider, although I don't think the problem lies in there.


/Patrik


Från: Frank Cusack [mailto:frank at linetwo.net]
Skickat: den 17 oktober 2011 10:29
Till: Martinsson Patrik
Kopia: kerberos at mit.edu
Ämne: Re: pkinit and nfs

It'd be interesting to know what 'kinit -t' does.
On Mon, Oct 17, 2011 at 1:21 AM, Martinsson Patrik <patrik.martinsson at smhi.se<mailto:patrik.martinsson at smhi.se>> wrote:
Well yes, however if you add
  pkinit_identities   = PKCS11:path-to-smartcardlib
to the [libdefaults] section of your krb5.conf, the rpc.gssd will segfault.

In my world that means that rpc.gssd reads the pkinit-option in some way, but I'm not sure.

Best regards,
Patrik Martinsson, Sweden.





Från: Frank Cusack [mailto:frank at tenpedal.com<mailto:frank at tenpedal.com>]
Skickat: den 14 oktober 2011 20:04
Till: Martinsson Patrik
Kopia: kerberos at mit.edu<mailto:kerberos at mit.edu>
Ämne: Re: pkinit and nfs

On Fri, Oct 14, 2011 at 1:56 AM, Martinsson Patrik <patrik.martinsson at smhi.se<mailto:patrik.martinsson at smhi.se>> wrote:
How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used.

"nfs", i.e. rpc.gssd, does not use pkinit ever.  It uses only a keytab.