From: Jeff Layton <jlayton@redhat.com>
To: Di Pe <dipeit@gmail.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1
Date: Tue, 20 Apr 2010 10:13:40 -0400 [thread overview]
Message-ID: <20100420101340.6a0652a3@corrin.poochiereds.net> (raw)
In-Reply-To: <x2l3b6787961004191737p1fb222uc6a5b03d77414826@mail.gmail.com>
On Mon, 19 Apr 2010 17:37:45 -0700
Di Pe <dipeit@gmail.com> wrote:
>
> On another Note: This PAC size issue is interesting. It seems to be an
> ongoing problem over the last couple of years. I suspect most
> krb5/gssd developers do not have an Active Directory infrastructure at
> hand they can test against?
> Going forward it may be make sense to "fix" this issue on the
> Microsoft end of things : http://support.microsoft.com/kb/832572 ?
> However, this would result in a pretty unique environment because many
> AD Admins would not bother with this setting nor would they know how
> to apply it.
>
In order to hit this problem you need a fairly large AD infrastructure.
You need to have the principal in a lot of groups so that the PAC is
big enough to cause the issue.
Also, it's only really a problem if you're using libraries that aren't
able to deal with large ticket sizes like this. Current libtirpc and
librpcsecgss should deal with this just fine.
Certainly if you have the freedom to have the server not store PAC info
for certain tickets, then that's one way to work around the problem.
Many people don't have that freedom, or it's just too much trouble to
do so.
--
Jeff Layton <jlayton@redhat.com>
next prev parent reply other threads:[~2010-04-20 14:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d@mail.gmail.com>
[not found] ` <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 7:54 ` cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 Di Pe
[not found] ` <j2m3b6787961004170054o64f3cb47l38864ca402eb231b-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 12:55 ` Kevin Coffman
[not found] ` <u2x4d569c331004170555mbc4ca310pb63e0e083955fc83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 14:43 ` Di Pe
2010-04-17 15:10 ` Jeff Layton
2010-04-20 0:37 ` Di Pe
2010-04-20 13:19 ` Kevin Coffman
2010-04-21 0:19 ` Di Pe
[not found] ` <j2y3b6787961004201719h6d3a7a6nea8f9d6e664a1cbc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-21 3:02 ` Kevin Coffman
2010-04-21 13:32 ` Di Pe
2010-04-21 13:45 ` Kevin Coffman
2010-04-20 14:13 ` Jeff Layton [this message]
2011-03-28 20:26 ` Olga Kornievskaia
2011-03-28 20:29 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100420101340.6a0652a3@corrin.poochiereds.net \
--to=jlayton@redhat.com \
--cc=dipeit@gmail.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).