How to use NFS with multiple principals in different realms?
Simo Sorce
simo at redhat.com
Wed Sep 17 17:31:04 EDT 2014
On Wed, 17 Sep 2014 22:30:29 +0200
Cedric Blancher <cedric.blancher at gmail.com> wrote:
> On 17 September 2014 17:05, Simo Sorce <simo at redhat.com> wrote:
> > On Wed, 17 Sep 2014 13:20:19 +0200
> > Cedric Blancher <cedric.blancher at gmail.com> wrote:
> >
> >> What happens if there is no relation between KRB Realm names and
> >> FQDN/DNS? Can the NFS client find out which KRB Realm is used by
> >> the server?
> >
> > Depending on the environment you may have 1 or 2 ways.
> >
> > 1. add domain to realm mapping in the appropriate section in
> > krb5.conf on the client.
> > 2. allow the KDC to send back a referral (but not all clients will
> > ask their own KDC, some can do only 1).
>
> But how can 1. help? Sure I can have my own krb5.conf but AFAIK
> rpc.gssd only looks at he system /etc/krb5.conf and not at any custom
> user defined location. Basically mount(8) would have to pass the
> location of the custom krb5.conf file to rpc.gssd to facilitate the
> mount, right?
A mount operation is a system-wide operation and requires privileges,
the system krb5.conf is what is used. Trusting a user provided
krb5.conf file for system level operations is not possible.
> I *think* we have a bigger problem here: Kerberos5 support in NFS
> appears to be designed around the philosophy of one realm per machine
> (one-to-rule-them'-all) and not that a single user or machine has
> mounts from many different realms, right?
wrong, the machine just need to 'know' about multiple realms and that
is done via domain_realm mappings, of course you can only have one
realm per dns domain.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list