On Thu, Sep 04, 2008 at 06:45:03PM +0200, François Valenduc wrote:
> Kevin Coffman a écrit :
>> Hello François,
>> First, you should not need to limit the encryption types in
>> /etc/krb5.conf as you have done. None of the following lines are
>> necessary in either the client or server's /etc/krb5.conf file.
>> (Leaving them in will probably lead to headaches with other Kerberos
>> applications in the future.)
>>
>> default_tkt_enctypes = aes256-cts-hmac-sha1-96 des-cbc-crc
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 des-cbc-crc
>> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
>> des3-hmac-sha1
>>
>> You said that you limited the client's keytab to des-cbc-crc. It
>> appears you have done the same for the server's keytab since the
>> ticket and session key the client gets are des-cbc-crc.
>>
>>
>>> Sep 3 19:36:22 pc-francois krb5kdc[9787]: TGS_REQ (2 etypes {18 1})
>>> 192.168.1.3: ISSUE: authtime 1220463382, etypes {rep=18 tkt=1 ses=1},
>>> nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx for
>>> nfs/pc-francois.homenetwork.net@xxxxxxxxxxxxxxx
>>>
>>
>> It looks like the client is successfully authenticating as
>> "nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx".
>>
>>
>>> Sep 3 19:36:22 pc-francois rpc.svcgssd[7008]: sname =
>>> nfs/ordi-francois.homenetwork.net@xxxxxxxxxxxxxxx
>>>
>>
>> However, mapping that gss_auth_name to a local ID is failing, and is
>> being mapped to uid/gid of "-1 -1"
>> .
>>
>>
>>> Sep 3 19:36:22 pc-francois rpc.svcgssd[7008]: \x01000000 2147483647 -1 -1 0 krb5
>>> \x000000000000[...]80b98
>>>
>>
>> The "-1" should be interpreted in the kernel as nfsnobody. What are
>> the permissions on the exported filesystem?
>>
>> K.C.
>>
>>
> So, is it normat that gss map the local uid/gid to -1 -1 ? If not, what
> should I change ?
> The folder I try to export is configured like this:
>
> /home/francois ordi-francois(rw,root_squash,no_subtree_check)
Assyming you're using nfs-utils 1.1.1 or later, add "sec=krb5" to the
export options. (Or "sec=krb5:krb5i:krb5p" if you also want to allow
integrity and privacy; and "sec=sys:krb5:krb5i:krb5p" if you also want
to allow auth_sys.)
--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
