From: Steve Dickson <SteveD@redhat.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Timo Aaltonen <timo.aaltonen@aalto.fi>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] Support AD style kerberos automatically in rpc.gss
Date: Thu, 06 Jan 2011 08:12:02 -0500 [thread overview]
Message-ID: <4D25BFA2.9060002@RedHat.com> (raw)
In-Reply-To: <20110104213207.GA1211@obsidianresearch.com>
On 01/04/2011 04:32 PM, Jason Gunthorpe wrote:
> On Thu, Dec 23, 2010 at 12:55:16PM +0200, Timo Aaltonen wrote:
>> On Wed, 22 Dec 2010, Jason Gunthorpe wrote:
>>
>>> An Active Directory KDC will only grant a TGT for UPNs, getting
>>> a TGT for SPNs is not possible:
>>>
>>> $ kinit -k host/ib5@ADS.ORCORP.CA
>>> kinit: Client not found in Kerberos database while getting initial credentials
>>>
>>> The correct thing to do for machine credentials is to get a TGT
>>> for the computer UPN <HOSTNAME>$@REALM:
>>> $ kinit -k IB5\$
>>> $ klist
>>> 12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
>>>
>>> Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
>>> this patch makes gssd_refresh_krb5_machine_credential prefer it above
>>> the SPNs if it is present.
>>>
>>> The net result is that nfs client works automatically out of the box
>>> if samba has been used to setup kerberos via 'net ads join' 'net ads
>>> keytab create'
>>>
>>> Tested using Windows Server 2003 R2 as the AD server.
>>
>> This is basically what I did earlier, see:
>>
>> http://marc.info/?l=linux-nfs&m=128108638228797&w=2
>>
>> though I still haven't cleaned it up as promised..
>
> Right, mine is a bit more complete (man page updated, etc) but it does
> the same thing.
>
> Maybe we can get a nfs-utils maintainer to comment this time?
Sorry for the delay.... I'll trying to get to this asap...
steved.
next prev parent reply other threads:[~2011-01-06 13:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-22 19:22 [PATCH] Support AD style kerberos automatically in rpc.gss Jason Gunthorpe
2010-12-23 10:55 ` Timo Aaltonen
2011-01-04 21:32 ` Jason Gunthorpe
2011-01-06 13:12 ` Steve Dickson [this message]
2011-02-09 16:34 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D25BFA2.9060002@RedHat.com \
--to=steved@redhat.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-nfs@vger.kernel.org \
--cc=timo.aaltonen@aalto.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).