Hi Russ, thank you for the (as always) very helpful and detailed
reply... a few follow-up comments:
On Wed, Feb 3, 2016 at 4:47 PM, Russ Allbery wrote:
> You'll want to either perform just the authentication calls without saving
> the resulting cache or use a separate cache (by
I'd like to integrate Kerberos into an existing application. In
particular, when this application performs certain operations, I want
to explicitly force the user to re-authenticate. To be clear, the
user will generally already have a valid Kerberos ticket. Despite
that, I want to force him to
We're using NFSv4 with the sec=krb5p option for secure user home
directories. This is on CentOS (RHEL) Linux, mixed 6.5 and 5.7
releases. Kerberos flavor is MIT.
The other day, a user was getting Permission denied errors on the
entirety of the secure NFS mount.
Running klist showed he had a
Hi Bryce, thanks for your help. I am unable to duplicate your scenario...
On Tue, Sep 9, 2014 at 6:44 PM, Nordgren, Bryce L -FS
bnordg...@fs.fed.us wrote:
1] I sftp'ed to my fileserver (CentOS 7 + sssd + kerberos5 to active
directory). This involved an AS exchange and the creation of a ticket
I'm trying to understand the nuances of how user authentication works
with NFSv4 using the sec=krb5p (or presumably any krb5 sec option).
In particular, I am concerned about user impersonation.
Here's a situation which hopefully better explains the scenario:
Say there are a bunch of NFSv4
On Tue, Sep 9, 2014 at 5:22 PM, Cedric Blancher
cedric.blanc...@gmail.com wrote:
I think part of the problem is that you are using Linux (SLES, RHEL or
Centos doesn't matter), and the Linux NFS client implementation does
not support negotiation for the authentication in violation of RFC
3530.
We use an internally developed job-dispatching system, which is
implicitly built on Kerberos. Jobs are basically dispatched via “ssh
servername command”. Furthermore, the jobs need to access NFSv4
shares mounted with the “sec=krb5p” option. To facilitate this, the
ssh client and daemon need to
On Tue, Jun 3, 2014 at 9:23 AM, Jaap jwin...@umrk.nl wrote:
On Fri, 30 May 2014 10:57:45 -0500, Matt Garman wrote:
... Then under the [Static] section of idmapd.conf
(on the nfsv4 server), I have:
matt/cron@REALM = matt
For my site, this would mean that the idmapd.conf on every workstation
On Tue, Jun 3, 2014 at 10:57 AM, Jaap jwin...@umrk.nl wrote:
On Tue, 03 Jun 2014 10:08:29 -0500, Matt Garman wrote:
... on my nfs client machines (which is several dozen), I
haven't even touched the /etc/idmapd.conf file.
That's interesting. However, my experience is that if I don't run
On Fri, May 30, 2014 at 9:19 AM, Jaap jwin...@umrk.nl wrote:
Recently I got NFSv4 to work together with Kerberos (gss/krb5i or gss/
krb5p) on Debian wheezy, but there's a problem. It has to do with exports
with no_root_squash option; when attempting to allow root on the
clients to write to
I have some experience with NFSv4 + Kerberos. What exactly are you trying
to accomplish?
For the most part, I do use the default setup. That is, all my servers
with secure NFSv4 mounts have in their /etc/krb5.keytab both
host/hostname@REALM and nfs/hostname@REALM entries.
I might be able to
On Mon, Sep 30, 2013 at 12:16 PM, Jaap jwin...@umrk.nl wrote:
On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote:
For the most part, I do use the default setup. That is, all my servers
with secure NFSv4 mounts have in their /etc/krb5.keytab both
host/hostname@REALM and nfs/hostname
On Wed, Mar 13, 2013 at 4:47 AM, Tiago Elvas tiagoel...@gmail.com wrote:
I am having a problem in my system which I do not understand why it's
happening.
Firstly, I have a KDC running on a RedHat 5.7 machine. I have the parameter
maximum_renewable_life as 5000days in kdc.conf and krb5.conf.
At the risk of jinxing myself, I think I finally have this straightened out...
On Tue, Sep 18, 2012 at 9:17 PM, Frank Cusack fr...@linetwo.net wrote:
Does the server know it's in the realm MYDOMAIN.COM?
I assume the /etc/krb5.conf file is what tells a server what Kerberos
domain it's part of,
Can you elaborate a bit on why, if done on the client side, it defeats
the NFSv4 security model? (Honest question, no doubting your
statement.)
Well, one of the primary drivers of NFSv4 is the security aspect of
not allowing
root on a client to impersonate anyone w/o access to credentials.
On Sat, Sep 15, 2012 at 8:12 PM, Frank Cusack fr...@linetwo.net wrote:
man rpc.gssd.
At least on my distro (CentOS 5), that man page is extremely terse.
Another option is to allow the servers to mount via sys permission. Your
NFS server may or may not allow this kind of configuration.
What
On Tue, Sep 18, 2012 at 12:52 PM, Frank Cusack fr...@linetwo.net wrote:
At least it should tell you where to drop keytabs and how to name them so
that the daemon can pick them up.
[...]
You're likely just not dropping the keytab into the right location and with
the right naming convention.
On Tue, Sep 18, 2012 at 3:20 PM, Frank Cusack fr...@linetwo.net wrote:
Since you are initializing the ccache in the crontab itself, first of all
make sure your kinit command is placing the ccache in the correct (for gssd)
location. If that's fine (log the output of klist somewhere to be sure)
On Tue, Sep 11, 2012 at 9:21 PM, Booker Bense bbe...@gmail.com wrote:
On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery r...@stanford.edu wrote:
Either NFS doesn't understand matt/cron as a user, or the local daemon
that handles user credentials can't find the tickets. I believe you do
have to
Hi,
I have a server farm where all servers mount an NFSv4 share using the
sec=krb5p option. What I'd like is for users to be able to access
this share in automated jobs that are run via cron.
I saw that there is a FAQ on this:
http://www.faqs.org/faqs/kerberos-faq/general/section-61.html#b
But
On Wed, Aug 22, 2012 at 10:07 AM, Booker Bense bbe...@gmail.com wrote:
On Fri, Aug 17, 2012 at 11:21 AM, Matt Garman matthew.gar...@gmail.com
wrote:
We have a simple, home-grown Perl-based job dispatching system. It's
basically a per-user daemon that listens on a socket for job requests
We have a simple, home-grown Perl-based job dispatching system. It's
basically a per-user daemon that listens on a socket for job requests.
When it gets a request, it calls fork() to dispatch the job.
What we've found is that the fork()'ed jobs are getting permission
denied on NFSv4 mounts
We have a situation where users stay logged on for literally days or
even weeks at a time for very long-running simulation jobs. So the
default max ticket life of one day isn't really appropriate for us.
It seems that there are two solutions to this dilemma: (1) a much
longer max ticket life or
On Tue, Aug 7, 2012 at 11:40 PM, Greg Hudson ghud...@mit.edu wrote:
On 08/07/2012 01:23 PM, Matt Garman wrote:
[root@lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts
192.168.187.67 lnxsvr11.mydomain.com lnxsvr11
[root@lnxsvr11 ~]# grep lnxsvr11\. /etc/hosts
192.168.187.67
Hi,
I'm trying to get ssh working using gssapi-with-mic authentication. I have
about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4
mounts with krb5p security. All these machines mount the same NFSv4 share
(think home directories) so my users need to be able to forward their
On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce s...@redhat.com wrote:
What does the 'hostname' command return on your machine ?
Simo.
[root@lnxsvr11 ~]# hostname
lnxsvr11
[root@lnxsvr11 ~]# hostname -s
lnxsvr11
[root@lnxsvr11 ~]# hostname -f
lnxsvr11.mydomain.com
-Matt
On Tue, Aug 7, 2012 at 1:21 PM, Simo Sorce s...@redhat.com wrote:
On Tue, 2012-08-07 at 12:58 -0500, Matt Garman wrote:
On Tue, Aug 7, 2012 at 12:49 PM, Simo Sorce s...@redhat.com wrote:
What does the 'hostname' command return on your machine ?
[root@lnxsvr11 ~]# hostname
lnxsvr11
[root
27 matches
Mail list logo