Re: Kerberos API - enhancing program to *force* authentication

Hi Russ, thank you for the (as always) very helpful and detailed reply... a few follow-up comments: On Wed, Feb 3, 2016 at 4:47 PM, Russ Allbery wrote: > You'll want to either perform just the authentication calls without saving > the resulting cache or use a separate cache (by

Kerberos API - enhancing program to *force* authentication

I'd like to integrate Kerberos into an existing application. In particular, when this application performs certain operations, I want to explicitly force the user to re-authenticate. To be clear, the user will generally already have a valid Kerberos ticket. Despite that, I want to force him to

klist versus rpc.gssd

We're using NFSv4 with the sec=krb5p option for secure user home directories. This is on CentOS (RHEL) Linux, mixed 6.5 and 5.7 releases. Kerberos flavor is MIT. The other day, a user was getting Permission denied errors on the entirety of the secure NFS mount. Running klist showed he had a

Re: nfsv4 sec=krb5p and user impersonation

Hi Bryce, thanks for your help. I am unable to duplicate your scenario... On Tue, Sep 9, 2014 at 6:44 PM, Nordgren, Bryce L -FS bnordg...@fs.fed.us wrote: 1] I sftp'ed to my fileserver (CentOS 7 + sssd + kerberos5 to active directory). This involved an AS exchange and the creation of a ticket

nfsv4 sec=krb5p and user impersonation

I'm trying to understand the nuances of how user authentication works with NFSv4 using the sec=krb5p (or presumably any krb5 sec option). In particular, I am concerned about user impersonation. Here's a situation which hopefully better explains the scenario: Say there are a bunch of NFSv4

Re: nfsv4 sec=krb5p and user impersonation

On Tue, Sep 9, 2014 at 5:22 PM, Cedric Blancher cedric.blanc...@gmail.com wrote: I think part of the problem is that you are using Linux (SLES, RHEL or Centos doesn't matter), and the Linux NFS client implementation does not support negotiation for the authentication in violation of RFC 3530.

credentials caching mechanism, ssh gssapi-with-mic

We use an internally developed job-dispatching system, which is implicitly built on Kerberos. Jobs are basically dispatched via “ssh servername command”. Furthermore, the jobs need to access NFSv4 shares mounted with the “sec=krb5p” option. To facilitate this, the ssh client and daemon need to

Re: NFSv4 and root access

On Tue, Jun 3, 2014 at 9:23 AM, Jaap jwin...@umrk.nl wrote: On Fri, 30 May 2014 10:57:45 -0500, Matt Garman wrote: ... Then under the [Static] section of idmapd.conf (on the nfsv4 server), I have: matt/cron@REALM = matt For my site, this would mean that the idmapd.conf on every workstation

Re: NFSv4 and root access

On Tue, Jun 3, 2014 at 10:57 AM, Jaap jwin...@umrk.nl wrote: On Tue, 03 Jun 2014 10:08:29 -0500, Matt Garman wrote: ... on my nfs client machines (which is several dozen), I haven't even touched the /etc/idmapd.conf file. That's interesting. However, my experience is that if I don't run

Re: NFSv4 and root access

On Fri, May 30, 2014 at 9:19 AM, Jaap jwin...@umrk.nl wrote: Recently I got NFSv4 to work together with Kerberos (gss/krb5i or gss/ krb5p) on Debian wheezy, but there's a problem. It has to do with exports with no_root_squash option; when attempting to allow root on the clients to write to

Re: NFSv4

I have some experience with NFSv4 + Kerberos. What exactly are you trying to accomplish? For the most part, I do use the default setup. That is, all my servers with secure NFSv4 mounts have in their /etc/krb5.keytab both host/hostname@REALM and nfs/hostname@REALM entries. I might be able to

Re: NFSv4

On Mon, Sep 30, 2013 at 12:16 PM, Jaap jwin...@umrk.nl wrote: On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote: For the most part, I do use the default setup. That is, all my servers with secure NFSv4 mounts have in their /etc/krb5.keytab both host/hostname@REALM and nfs/hostname

Re: Max renewable lifetime issues

On Wed, Mar 13, 2013 at 4:47 AM, Tiago Elvas tiagoel...@gmail.com wrote: I am having a problem in my system which I do not understand why it's happening. Firstly, I have a KDC running on a RedHat 5.7 machine. I have the parameter maximum_renewable_life as 5000days in kdc.conf and krb5.conf.

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

At the risk of jinxing myself, I think I finally have this straightened out... On Tue, Sep 18, 2012 at 9:17 PM, Frank Cusack fr...@linetwo.net wrote: Does the server know it's in the realm MYDOMAIN.COM? I assume the /etc/krb5.conf file is what tells a server what Kerberos domain it's part of,

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

Can you elaborate a bit on why, if done on the client side, it defeats the NFSv4 security model? (Honest question, no doubting your statement.) Well, one of the primary drivers of NFSv4 is the security aspect of not allowing root on a client to impersonate anyone w/o access to credentials.

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

On Sat, Sep 15, 2012 at 8:12 PM, Frank Cusack fr...@linetwo.net wrote: man rpc.gssd. At least on my distro (CentOS 5), that man page is extremely terse. Another option is to allow the servers to mount via sys permission. Your NFS server may or may not allow this kind of configuration. What

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

On Tue, Sep 18, 2012 at 12:52 PM, Frank Cusack fr...@linetwo.net wrote: At least it should tell you where to drop keytabs and how to name them so that the daemon can pick them up. [...] You're likely just not dropping the keytab into the right location and with the right naming convention.

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

On Tue, Sep 18, 2012 at 3:20 PM, Frank Cusack fr...@linetwo.net wrote: Since you are initializing the ccache in the crontab itself, first of all make sure your kinit command is placing the ccache in the correct (for gssd) location. If that's fine (log the output of klist somewhere to be sure)

Re: kerberos cron - specifically nfsv4 w/sec=krb5p

On Tue, Sep 11, 2012 at 9:21 PM, Booker Bense bbe...@gmail.com wrote: On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery r...@stanford.edu wrote: Either NFS doesn't understand matt/cron as a user, or the local daemon that handles user credentials can't find the tickets. I believe you do have to

kerberos cron - specifically nfsv4 w/sec=krb5p

Hi, I have a server farm where all servers mount an NFSv4 share using the sec=krb5p option. What I'd like is for users to be able to access this share in automated jobs that are run via cron. I saw that there is a FAQ on this: http://www.faqs.org/faqs/kerberos-faq/general/section-61.html#b But

Re: kerberos and remote job scheduling/dispatching/perl fork()

On Wed, Aug 22, 2012 at 10:07 AM, Booker Bense bbe...@gmail.com wrote: On Fri, Aug 17, 2012 at 11:21 AM, Matt Garman matthew.gar...@gmail.com wrote: We have a simple, home-grown Perl-based job dispatching system. It's basically a per-user daemon that listens on a socket for job requests

kerberos and remote job scheduling/dispatching/perl fork()

We have a simple, home-grown Perl-based job dispatching system. It's basically a per-user daemon that listens on a socket for job requests. When it gets a request, it calls fork() to dispatch the job. What we've found is that the fork()'ed jobs are getting permission denied on NFSv4 mounts

longer ticket life vs auto renew

We have a situation where users stay logged on for literally days or even weeks at a time for very long-running simulation jobs. So the default max ticket life of one day isn't really appropriate for us. It seems that there are two solutions to this dilemma: (1) a much longer max ticket life or

Re: ssh gssapi-with-mic and Key table entry not found

On Tue, Aug 7, 2012 at 11:40 PM, Greg Hudson ghud...@mit.edu wrote: On 08/07/2012 01:23 PM, Matt Garman wrote: [root@lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 [root@lnxsvr11 ~]# grep lnxsvr11\. /etc/hosts 192.168.187.67

ssh gssapi-with-mic and Key table entry not found

Hi, I'm trying to get ssh working using gssapi-with-mic authentication. I have about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4 mounts with krb5p security. All these machines mount the same NFSv4 share (think home directories) so my users need to be able to forward their

Re: ssh gssapi-with-mic and Key table entry not found

On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce s...@redhat.com wrote: What does the 'hostname' command return on your machine ? Simo. [root@lnxsvr11 ~]# hostname lnxsvr11 [root@lnxsvr11 ~]# hostname -s lnxsvr11 [root@lnxsvr11 ~]# hostname -f lnxsvr11.mydomain.com -Matt

Re: ssh gssapi-with-mic and Key table entry not found

On Tue, Aug 7, 2012 at 1:21 PM, Simo Sorce s...@redhat.com wrote: On Tue, 2012-08-07 at 12:58 -0500, Matt Garman wrote: On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce s...@redhat.com wrote: What does the 'hostname' command return on your machine ? [root@lnxsvr11 ~]# hostname lnxsvr11 [root