kerberos & cron - specifically nfsv4 w/sec=krb5p

Matt Garman matthew.garman at gmail.com
Wed Sep 19 18:39:51 EDT 2012


At the risk of jinxing myself, I think I finally have this straightened out...

On Tue, Sep 18, 2012 at 9:17 PM, Frank Cusack <frank at linetwo.net> wrote:
> Does the server know it's in the realm MYDOMAIN.COM?

I assume the /etc/krb5.conf file is what tells a server what Kerberos
domain it's part of, right?  At least with MIT Kerberos (which I'm
using).  If so, then yes, that file was consistent across both clients
and servers.

However, while my Kerberos realm was set correctly, and my DNS
domainname was set correctly, my NIS domain name was *not* set (at
all).  I.e., running the command "dnsdomainname" returned
"mydomain.com", but running "domainname" returned an empty string.
Only today did I learn that the latter command is for NIS (I
previously assumed it was for DNS, and didn't even realize there was a
dnsdomainname command).

This was the same for both the server and client.  So the first step I
took to address this was to set the NIS domain name on all servers.
FYI, on Redhat-style systems, to make this persistent through reboots,
you add "NISDOMAIN=mydomain.com" to /etc/sysconfig/network.

Curious is that my /etc/idmap.conf file includes "Domain =
mydomain.com" in the [General] section.  Apparently, that's not the
NIS domain.  :)

Next was to try and get the server to map "matt/cron" to "matt".

Originally, on the server, I had this in my [Translation] section of
/etc/idmapd.conf:

Method = nsswitch
GSS-Methods = static

And under [Static], I had:

matt/cron at MYDOMAIN.COM = matt

This worked only when I did a kinit as "matt/cron".  But it broke
"matt".  After a lot of hair-pulling, I changed the [Translation]
section of the server's idmapd.conf file to the following:

Method = nsswitch
GSS-Methods = nsswitch,static

Notice that I added "nsswitch" to the GSS-Methods line.  And so far, success!

What's also interesting is that, early on in this problem, I tried
having only this line:

Method = nsswitch,static

And no "GSS-Methods" line.  But with that, the idmapd daemon wouldn't
even start.

Now that I'm re-looking at the idmapd.conf manpage, I see that the
difference between "Method" and "GSS-Methods" is:

"Method" maps between NFSv4 names and local IDs
"GSS-Methods" maps between GSS Authenticated names and local IDs

So, I'll let this run for a while without touching anything, and make
sure some unseen cache effect doesn't break this.  I mostly understand
this now... but not to the point where I'd feel comfortable writing
any kind of formal documentation. :)

Anyway, thanks to everyone on the list for chiming in with helpful
suggestions.  I think I'd still be spinning my wheels without your
help!

-Matt


More information about the Kerberos mailing list