NFSv4

Kevin Coffman kwc at umich.edu
Mon Sep 30 14:30:20 EDT 2013


There is an option to rpc.gssd (-k) that specifies which keytab file to
use...



On Mon, Sep 30, 2013 at 1:16 PM, Jaap <jwinius at umrk.nl> wrote:

> On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote:
>
> > For the most part, I do use the default setup.  That is, all my servers
> > with secure NFSv4 mounts have in their /etc/krb5.keytab both
> > "host/hostname at REALM" and "nfs/hostname at REALM" entries.
>
> All I want for now is to know how to have NFSv4 access its encryption key
> if it is stored in a keytab file other than /etc/krb5.keytab.
>
> Perhaps I'm making a mountain out of a molehill, but I'm under the
> impression that programs that read keytab files tend to stop after
> processing the first entry (with perhaps multiple encryption types). NFSv4
> may be different in this respect, but what would happen if later on the
> nfs key ended up as the first in your /etc/krb5.keytab with the host keys
> after? Then your automatic TGT refreshing mechanism (e.g. k5start) may
> select "nfs/hostname at REALM" instead of "host/hostname at REALM", which could
> be problematic.
>
> A workaround would be to move the host keys to a different keytab file,
> but I'd rather move the nfs key instead.
>
> Cheers,
>
> Jaap
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 

Kevin Coffman
Office of Enabling Technologies
Medical School Information Services Learning Program
University of Michigan Medical School
517 917 0592 (google voice)
734 330 4706 (cell)
kwc at umich.edu


More information about the Kerberos mailing list