From: Jurjen Bokma <j.bokma@rug.nl>
To: Cedric Blancher <cedric.blancher@gmail.com>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: How to use NFS with multiple principals in different realms?
Date: Thu, 04 Sep 2014 11:33:50 +0200 [thread overview]
Message-ID: <540831FE.1010208@rug.nl> (raw)
In-Reply-To: <CALXu0Ue9z-xbFk9hhsvu4c38qqmd0Wwupk2LvL99rwoAcRMqOw@mail.gmail.com>
You use cross realm authentication, so that your NFS client may obtain
tickets for servers that are not in its own realm.
To allow for cross-realm authentication from your own MYREALM.NET (where
te client is) to your neighbour's HISREALM.ORG (the realm of the
server), you basically create *in*each*realm* a principal
krbtgt/MYREALM.NET@HISREALM.ORG.
Both principals must be identical. They have to have the same name, the
same encryption types, and the same kvno.
After that, it's a matter of configuring the krb5.conf right: tell the
Kerberos servers which machine is in which realm if DNS doesn't do that.
Debian bug #571244 may also come into play on RHEL?
I've got step by step documentation for an Ubuntu NFS client with
Kerberos served by Heimdal under Debian and Windows AD respectively. But
I haven't anonymized the text yet, so I can't put it online immediately.
Would it help you if I anonymize it soon, or can you work it our from
just the above hints?
Regards
Jurjen
On 09/04/2014 11:04 AM, Cedric Blancher wrote:
> How can I use NFS with kerberos krb5p auth when I want to use NFS
> filesystems which come from different realms?
>
> I know klist -A can show all tickets I got from all realms I kinit to
> - but how can NFS use them?
>
> OS is RHEL7
>
> Ced
>
next prev parent reply other threads:[~2014-09-04 9:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-04 9:04 How to use NFS with multiple principals in different realms? Cedric Blancher
2014-09-04 9:33 ` Jurjen Bokma [this message]
2014-09-04 11:25 ` Cedric Blancher
2014-09-04 12:32 ` Jurjen Bokma
2014-09-04 18:35 ` Simo Sorce
2014-09-10 0:31 ` Cedric Blancher
2014-09-10 2:18 ` Nordgren, Bryce L -FS
2014-09-10 6:47 ` Trond Myklebust
2014-09-10 13:06 ` Simo Sorce
2014-09-17 11:20 ` Cedric Blancher
2014-09-17 15:05 ` Simo Sorce
2014-09-17 20:30 ` Cedric Blancher
2014-09-17 21:31 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540831FE.1010208@rug.nl \
--to=j.bokma@rug.nl \
--cc=cedric.blancher@gmail.com \
--cc=kerberos@mit.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).