Re: Strange rpc.svcgssd behavior

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jim Rees <rees@umich.edu>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Valentijn Sessink <valentyn@blub.net>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: Strange rpc.svcgssd behavior
Date: Tue, 16 Nov 2010 15:54:36 -0500	[thread overview]
Message-ID: <20101116205436.GA4595@merit.edu> (raw)
In-Reply-To: <577C5BE5-DB69-48E2-9E99-26ACE90C96BF@oracle.com>

Chuck Lever wrote:

  Before we go too far down the NM path of no return, I was under the
  impression that some applications require the host's name on the localhost
  entries in /etc/hosts.  That's why NM puts it there.

  There's nothing invalid about having a hostname on the localhost entries
  in /etc/hosts, is there?

  So I wonder if removing NM is really the solution here.

No, it's not.  I just like to complain about NM.

The original problem was that rpc.svcgssd couldn't figure out the correct
kerberos realm.  The fix in this particular case, I think, is to set the
realm explicitly in /etc/idmapd.conf.

But a more general problem is that if you don't set a realm in
/etc/idmapd.conf, the fallback is to whatever is returned by gethostname().
Shouldn't the fallback be to what is in krb5.conf?

In general, I think it's a mistake to assume that a host's security realm is
the same as its dns domain, especially given host mobility, the lack of
security in dns, and the existence of other methods (krb5.conf) to determine
the security realm.

next prev parent reply	other threads:[~2010-11-16 20:54 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-15 17:39 Strange rpc.svcgssd behavior Chuck Lever
2010-11-16 15:58 ` Valentijn Sessink
2010-11-16 19:44   ` Valentijn Sessink
2010-11-16 20:17     ` Jim Rees
2010-11-16 20:22       ` Chuck Lever
2010-11-16 20:54         ` Jim Rees [this message]
2010-11-16 21:41           ` J. Bruce Fields
2010-11-16 21:42           ` Chuck Lever
2010-11-17 15:18             ` Steve Dickson
2010-11-17 15:30               ` Chuck Lever
2010-11-17 15:54                 ` Kevin Coffman
2010-11-17 16:05                   ` Chuck Lever
2010-11-17 16:26                     ` Kevin Coffman
2010-11-17 17:51                       ` Chuck Lever
2010-11-17 18:52                         ` Valentijn Sessink
2010-11-17 16:15                   ` Valentijn Sessink

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101116205436.GA4595@merit.edu \
    --to=rees@umich.edu \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=valentyn@blub.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.