Kevin Coffman a écrit :
Hello François,
First, you should not need to limit the encryption types in
/etc/krb5.conf as you have done. None of the following lines are
necessary in either the client or server's /etc/krb5.conf file.
(Leaving them in will probably lead to headaches with other Kerberos
applications in the future.)
default_tkt_enctypes = aes256-cts-hmac-sha1-96 des-cbc-crc
default_tgs_enctypes = aes256-cts-hmac-sha1-96 des-cbc-crc
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des3-hmac-sha1
You said that you limited the client's keytab to des-cbc-crc. It
appears you have done the same for the server's keytab since the
ticket and session key the client gets are des-cbc-crc.
Sep 3 19:36:22 pc-francois krb5kdc[9787]: TGS_REQ (2 etypes {18 1})
192.168.1.3: ISSUE: authtime 1220463382, etypes {rep=18 tkt=1 ses=1},
nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx for
nfs/pc-francois.homenetwork.net@xxxxxxxxxxxxxxx
It looks like the client is successfully authenticating as
"nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx".
Sep 3 19:36:22 pc-francois rpc.svcgssd[7008]: sname =
nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx
However, mapping that gss_auth_name to a local ID is failing, and is
being mapped to uid/gid of "-1 -1"
.
Sep 3 19:36:22 pc-francois rpc.svcgssd[7008]: \x01000000 2147483647 -1 -1 0 krb5
\x000000000000[...]80b98
The "-1" should be interpreted in the kernel as nfsnobody. What are
the permissions on the exported filesystem?
K.C.
So, is it normat that gss map the local uid/gid to -1 -1 ? If not, what
should I change ?
The folder I try to export is configured like this:
/home/francois ordi-francois(rw,root_squash,no_subtree_check)
François
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
