NFSv4
Jaap
jwinius at umrk.nl
Mon Sep 30 13:16:59 EDT 2013
On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote:
> For the most part, I do use the default setup. That is, all my servers
> with secure NFSv4 mounts have in their /etc/krb5.keytab both
> "host/hostname at REALM" and "nfs/hostname at REALM" entries.
All I want for now is to know how to have NFSv4 access its encryption key
if it is stored in a keytab file other than /etc/krb5.keytab.
Perhaps I'm making a mountain out of a molehill, but I'm under the
impression that programs that read keytab files tend to stop after
processing the first entry (with perhaps multiple encryption types). NFSv4
may be different in this respect, but what would happen if later on the
nfs key ended up as the first in your /etc/krb5.keytab with the host keys
after? Then your automatic TGT refreshing mechanism (e.g. k5start) may
select "nfs/hostname at REALM" instead of "host/hostname at REALM", which could
be problematic.
A workaround would be to move the host keys to a different keytab file,
but I'd rather move the nfs key instead.
Cheers,
Jaap
More information about the Kerberos
mailing list