Re: Kerberos TGT and NFS

[Andreas B. Mundt]

Hi Giorgio,

On Sat, Feb 04, 2012 at 10:17:23AM +0100, Giorgio Pioda wrote:

> I got Ubuntu running, nice. But IMHO it shouldn't. I don't understand
> the black magic I've produced by myself, about the nfs/client kerberos
> granting.
> 
> I didn't copy nor generate any krb5.keytab for the nfs/client and
> although this fact nfs works.
> 
> How is the TGT nfs working? Is the keytab stored i ldap? In this latter case
> I fear that a MAC spoof would lead to unattended mounting of clients that are
> not aknowledged.
> 
> Do you have an explanation, a reference link?
> 

Skolelinux doesn't use kerberized NFSv4 yet.  There is no mechanism
available to create and copy the keytabs.  Perhaps this can be done
with a GOsa hook, however then the client needs to be available to scp
the keytab ...

However, you might be able to switch kerberization on by doing the
above manually and remove the sec=sys part in /etc/exports of the
mainserver. 

Regards,

Andi


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120204093014.GC5149@fuzi

Kerberos TGT and NFS

[Giorgio Pioda]

Hi,

I got Ubuntu running, nice. But IMHO it shouldn't. I don't understand
the black magic I've produced by myself, about the nfs/client kerberos
granting.

I didn't copy nor generate any krb5.keytab for the nfs/client and
although this fact nfs works.

How is the TGT nfs working? Is the keytab stored i ldap? In this latter case
I fear that a MAC spoof would lead to unattended mounting of clients that are
not aknowledged.

Do you have an explanation, a reference link?

Thanks

Giorgio 
-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120204091722.gd2...@ticino.com