kerberos & cron - specifically nfsv4 w/sec=krb5p
Frank Cusack
frank at linetwo.net
Tue Sep 18 13:52:45 EDT 2012
On Tue, Sep 18, 2012 at 9:42 AM, Matt Garman <matthew.garman at gmail.com>wrote:
> On Sat, Sep 15, 2012 at 8:12 PM, Frank Cusack <frank at linetwo.net> wrote:
> > man rpc.gssd.
>
> At least on my distro (CentOS 5), that man page is extremely terse.
>
At least it should tell you where to drop keytabs and how to name them so
that the daemon can pick them up.
If the server is also RH then the stuff about idmap is a red herring.
Linux treats all instances (/foo) as equivalent to the main principal for
NFS purposes. So as long as your principal names match your usernames, and
the server can lookup username->uid, as would normally be the case, then
you're good from that end.
> Another option is to allow the servers to mount via sys permission. Your
> > NFS server may or may not allow this kind of configuration.
>
> What do you mean by sys permission? Do you mean the old, pre-NFSv4
> style of IP-only "authentication"?
>
Yes, formally called AUTH_SYS.
That sounds like something I'd like. As I mentioned in my previous
> post, we want strict controls on mounting, and encrypted data streams.
>
I don't believe Linux NFS servers can do this (different auth types from
different locations). I might be wrong, I'm not 100% up to date on Linux.
It doesn't seem to be the case, at least not for me. CentOS 5 for
> client machines, and CentOS 6 for the server. Maybe this is my
> problem? Some subtle incompatibility between versions?
>
You're likely just not dropping the keytab into the right location and with
the right naming convention.
More information about the Kerberos
mailing list