Well not exactly. rpc.gssd (i.e. NFS client side) does need a TGT. Kerberized NFS server (i.e. rpc.svcgssd) is just happy with the ServicePrincipal.
Historically, rpc.gssd only supported "nfs/fqdn" UserPrincipal names. Later on, someone from nfs-utils maintainers noticed that some people use secure NFS with M$ based KDC - and hence added support for the "client$" UPN. This is nice, but as John noticed, this support is far for being ideal :) To make the long story short, you have 3 options now: 1. Have the nfs-utils maintainers fix this bug for you :) 2. Use short hostname 3. Define UserServicePrincipal computer attribute in AD and add something like "nfs/fqdn". This will allow Gssd to obtain a TGT using that princpal. Ondrej ________________________________________ From: [email protected] [[email protected]] on behalf of John Hodrien [[email protected]] Sent: Wednesday, February 12, 2014 11:01 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem) On Wed, 12 Feb 2014, Longina Przybyszewska wrote: > Do I miss something in getting point here: > > If there is a key for the principal 'host/[email protected]' in > local /etc/krb5.keytab - > > why there are no credentials in Kerberos database? ServicePrincipal vs UserPrincipal. In AD, you can add as many service principals as you like (net ads keytab add blah), but these are only useful for services, as they can't get a Ticket Granting Ticket. NFS is unusual in needing a tgt. So you have ones like host/fqdn which can be used by ssh. You get one user principal for free with AD, which is 'shorthostname$'. That can generate a TGT (i.e. you can use kinit with it). You're allowed one other, which you can generate with samba via 'net ads join createupn='something/fqdn'. This can be useful for services that need it, that don't know to use the other one. So you can use that with nfs to make it all happy that way, by making the nfs/fqdn principal able to request a tgt. > Is this because for NFS4 service machine asks, there is need for > credentials for machine principal, the one ending with “$”, and rpc.gssd > > asks about [email protected] instead of [email protected] > > and that question depends on what ‘hostname’ returns? hostname should always return the full hostname, and hostname -s should return the short host name. I'd really not change that to fix this problem. jh _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
