From: Simo Sorce <simo@redhat.com>
To: The GSS-Proxy developers and users mailing list
<gss-proxy@lists.fedorahosted.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [gssproxy] migration from svcgssd to gssproxy results in regression.
Date: Wed, 08 Mar 2017 11:19:06 -0500 [thread overview]
Message-ID: <1488989946.25839.3.camel@redhat.com> (raw)
In-Reply-To: <87lgsgissm.fsf@notabene.neil.brown.name>
On Wed, 2017-03-08 at 10:14 +1100, NeilBrown wrote:
> Hi,
> I recently tried using gssproxy for krb5 authentication with nfsd.
> This was because customer is using an AD kerberos master which uses
> certificates which are too big for svcgssd to work with (i.e. larger
> than one page).
>
> Unfortunately it doesn't work.
>
> The svcgssd code in nfs-utils calls
> gss_display_name()
> to get the name of the principal. This returns something like
> "user@domain".
>
> getpwnam() works perfectly on this (when nsswitch is set to use
> "winbind")
> but svcgssd goes further and uses nfs4_gss_princ_to_ids() to perform
> the lookup. Presumably this is more general?
>
> gssproxy does neither of these.
> It uses gss_localname() to get the user name, which returns
> something
> like "user".
> It then calls getpwnam() on that, which fails ("user@domain" or
> "domain\user" both succeed).
>
> I have modified my copy to use gss_display_name() instead of
> gss_localname() and it now appears to work perfectly ... for this
> use-case at least.
>
> What is the right way forward here?
> Is nfs4_gss_princ_to_ids() really necessary?
> Should gssproxy use it, at least for requests from the NFS server?
> Is there are good reason not to use gss_display_name() uniformly?
> Maybe use gss_local_name(), and it that fails, or getpwnam fails,
> use gss_display_name()??
No, you should configure krb5.conf to map to a fully qualified name if
that is what you normally want.
The default rule allows mapping only for the default realm and does so
by truncating away the realm name, but you can configure your own.
see auth_to_local_names directive in krb5.conf
Simo.
next prev parent reply other threads:[~2017-03-08 18:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-07 23:14 migration from svcgssd to gssproxy results in regression NeilBrown
2017-03-08 14:15 ` Scott Mayhew
2017-03-08 14:30 ` Scott Mayhew
2017-03-08 16:19 ` Simo Sorce [this message]
2017-03-09 0:57 ` [gssproxy] " NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488989946.25839.3.camel@redhat.com \
--to=simo@redhat.com \
--cc=gss-proxy@lists.fedorahosted.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).