Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work
Brandon Allbery
ballbery at sinenomine.net
Fri Mar 13 10:05:15 EDT 2015
On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> There is a bug report/suggested patch which seems to make it possible
> but never seemed to get into the kernel:
> http://www.spinics.net/lists/linux-nfs/msg34236.html
>
> What is your opinion to this behavior?
> Do you think this is reasonable from kerberos point of view, or do you
> also think this needs to be changed?
This isn't Kerberos's fault, but NFS's; it's how it avoids having token
management like AFS uses (extra aklog step to register ticket with
filesystem and unlog to deregister it). Personally, I prefer AFS's way
of dealing with it; the whole business about snooping ticket caches and
caching its own private copy is concerning security-wise and seems like
it would easily become confused.
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix openafs kerberos infrastructure xmonad http://sinenomine.net
More information about the Kerberos
mailing list