From: Marc Schlinger <marc.schlinger@agorabox.org>
To: linux-nfs@vger.kernel.org
Subject: rpc.gssd and proxiable/forwardable tickets.
Date: Fri, 29 Oct 2010 10:40:03 +0200 [thread overview]
Message-ID: <4CCA8863.6040505@agorabox.org> (raw)
Hello,
I'm using WebAuth to authenticate my user and provide them a mean to
join their NFSv4 files through a web page.
I'd like to have the kerberos credentials used by the web server, but I
didn't managed to impersonate the kerberos user with nfsv4 in a webauth
protected page.
When I try to list the an nfs directory from the webpage I've got this
error from rpc.gssd:
CC file '/tmp/krb5cc_500' is expired or corrupt
My distribution is Fedora 12 and i'm using nfs-utils 1.2.1.
WebAuth is configured to ask the client a forwardable ticket for
nfs/<mynfsserver>@<myrealm>. In my application's code I can see the
ticket and even do a klist with it. The output looks like this:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: marc@<myrealm>
Valid starting Expires Service principal
10/28/10 20:15:17 10/29/10 20:15:15 nfs/<mynfsserver>@<myrealm>
Flags: FAT
So my application never gets the krbtgt tickets. Considering security, I
believe this is a good point.
I must confess that I didn't manage to follow rpc.gssd process with gdb
or with ltrace.
So until I'm able to trace gssd execution all things that follows are
pure suppositions.
While trying to find a valid credential_cache gssd calls a function in
utils/krb5_utils.c, "check_for_tgt", that does this loop:
while (!found&& (ret = krb5_cc_next_cred(context, ccache,&cur,
&creds)) == 0) {
if (creds.server->length == 2&&
data_is_equal(creds.server->realm, principal->realm)&&
creds.server->data[0].length == 6&&
-> memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&&
data_is_equal(creds.server->data[1], principal->realm)&&
creds.times.endtime> time(NULL))
found = 1;
krb5_free_cred_contents(context,&creds);
}
What I understand is that without a krbtgt entry, a credential cache
will be considered invalid.
Is there some reasons for this?
For what I've understand about kerberos protocol, a proxiable or
forwardable service ticket is sufficient to communicate with the nfs
server. But I may be wrong.
Thanks for your help.
Marc Schlinger
next reply other threads:[~2010-10-29 8:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-29 8:40 Marc Schlinger [this message]
2010-11-01 23:47 ` rpc.gssd and proxiable/forwardable tickets Kevin Coffman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CCA8863.6040505@agorabox.org \
--to=marc.schlinger@agorabox.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).