Re: [PATCH] Support AD style kerberos automatically in rpc.gss

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Timo Aaltonen <timo.aaltonen@aalto.fi>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] Support AD style kerberos automatically in rpc.gss
Date: Thu, 06 Jan 2011 08:12:02 -0500	[thread overview]
Message-ID: <4D25BFA2.9060002@RedHat.com> (raw)
In-Reply-To: <20110104213207.GA1211@obsidianresearch.com>



On 01/04/2011 04:32 PM, Jason Gunthorpe wrote:
> On Thu, Dec 23, 2010 at 12:55:16PM +0200, Timo Aaltonen wrote:
>> On Wed, 22 Dec 2010, Jason Gunthorpe wrote:
>>
>>> An Active Directory KDC will only grant a TGT for UPNs, getting
>>> a TGT for SPNs is not possible:
>>>
>>> $ kinit -k host/ib5@ADS.ORCORP.CA
>>> kinit: Client not found in Kerberos database while getting initial credentials
>>>
>>> The correct thing to do for machine credentials is to get a TGT
>>> for the computer UPN <HOSTNAME>$@REALM:
>>> $ kinit -k IB5\$
>>> $ klist
>>> 12/22/10 11:43:47  12/22/10 21:43:47  krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
>>>
>>> Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
>>> this patch makes gssd_refresh_krb5_machine_credential prefer it above
>>> the SPNs if it is present.
>>>
>>> The net result is that nfs client works automatically out of the box
>>> if samba has been used to setup kerberos via 'net ads join' 'net ads
>>> keytab create'
>>>
>>> Tested using Windows Server 2003 R2 as the AD server.
>>
>> This is basically what I did earlier, see:
>>
>> http://marc.info/?l=linux-nfs&m=128108638228797&w=2
>>
>> though I still haven't cleaned it up as promised..
> 
> Right, mine is a bit more complete (man page updated, etc) but it does
> the same thing.
> 
> Maybe we can get a nfs-utils maintainer to comment this time?
Sorry for the delay.... I'll trying to get to this asap... 

steved.

next prev parent reply	other threads:[~2011-01-06 13:12 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-22 19:22 [PATCH] Support AD style kerberos automatically in rpc.gss Jason Gunthorpe
2010-12-23 10:55 ` Timo Aaltonen
2011-01-04 21:32   ` Jason Gunthorpe
2011-01-06 13:12     ` Steve Dickson [this message]
2011-02-09 16:34 ` Steve Dickson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D25BFA2.9060002@RedHat.com \
    --to=steved@redhat.com \
    --cc=jgunthorpe@obsidianresearch.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=timo.aaltonen@aalto.fi \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.