NFSv4 cross-realm support

Jaap jwinius at umrk.nl
Wed Jul 2 09:53:12 EDT 2014


Hi folks,

Recently I've been working on cross-realm support to give my own realm, 
UMRK.NL, access to the services of a realm that I manage. All systems 
involved run Debian wheezy. So far, SSH, OpenLDAP, OpenAFS and Dovecot 
IMAP are all working properly this way, but NFSv4 with sec=krb5i is not; 
I keep getting "Permission denied" when attempting to read or write to 
any file or directory that is not globally accessible.

When the log output verbosity for rpc.gssd and rpc.svcgssd is increased 
about as far as it will go (-vvvvv), little is different when things go 
wrong, other than this one line produced by rpc.svcgssd on the server:

  nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND

However, even that seems a bit misleading, because the log output for 
rpc.idmapd (with Verbosity = 5) shows that the user and group IDs for my 
account are being identified properly.

Should I prepare a bug report for this issue, or does cross-realm support 
for NFSv4 require something extra?

Thanks,

Jaap



More information about the Kerberos mailing list