Hello! On Fri, Mar 02, 2007 at 08:51:51PM +0200, Timo Aaltonen wrote: > On Fri, 2 Mar 2007, Steinar H. Gunderson wrote: > > >On Fri, Mar 02, 2007 at 05:36:31PM +0100, Philipp Matthias Hahn wrote: > >>The patch 11-root-on-krb5-mounts.patch breaks backward compatibility > >>with nfs-servers <= 1.0.10 when using Kerberos5 with NFSv4! > > > >That's a different bug, really... > > > >>rpc.gssd[5012]: ERROR: No usable keytab entries found in keytab > >>'/etc/krb5.keytab' > >>rpc.gssd[5012]: Do you have a valid keytab entry for > >>root/<your.host>@<YOUR.REALM> in keytab file /etc/krb5.keytab ? > >>rpc.gssd[5012]: Continuing without (machine) credentials - nfs4 mounts > >>with Kerberos will fail > >> > >>No, I don't have "root/[EMAIL PROTECTED]", but > >>"nfs/[EMAIL PROTECTED]" which is working fine between an > >>etch-server and an etch-client. But the sid-client is no longer able to > >>mount. > > > >Timo, as the original patch submitter, do you have any suggestions here? > >Should I just drop the patch, or is there something else to do? > > You can drop it for now. Kevin Coffman hasn't replied to our further > inquiries, and this needs upstream blessing to be sure. It's a pity that > current implementation lacks this feature which is a blocker for us, so > we'll keep keeping our own package in the future as well :) > > root-principal is used at least by Solaris, but since Linux is still in > the mid-90's with regards to kerberos-usage this needs some upstream work, > hopefully sooner than later.
I'm new to Kerberos5 and NFSv4 too. So I read some HOWTOs and was glad when my first NFSv4 mount using Kerberos worked. I was using two Debian-etch boxes and everything was fine. Than I tried it from my private Debian development box running sid and suddenly it wasn't working when I did exactly the same thing as I did on those etch boxes. Naturally looking at the package version difference put my on the road to the above mentioned patch. Since I'm no professional with Kerberos5 and NFSv4, I reposted to the existing patch and didn't open a new one. > ps. Philipp, I guess you won't be using sudo much :) No, I don't plan to use sudo, but replacing that NFSv3 thing with something more secure is really what I want to do. After reading the Debian bug report, I tried to get sudo working too, but it didn't work. (no_root_squash in the servers /etc/exports, kinit root on the client?) But before continuing with that direction, I think I have to learn some more on it is supposed to work and what your patch really does. Sincerely Philipp -- Philipp Matthias Hahn <[EMAIL PROTECTED]> GPG/PGP: 9A540E39 @ keyrings.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
