rpc.gssd and proxiable/forwardable tickets.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello,

I'm using WebAuth to authenticate my user and provide them a mean to
join their NFSv4 files through a web page.
I'd  like to have the kerberos credentials used by the web server, but I
didn't managed to impersonate the kerberos user with nfsv4 in a webauth
protected page.
When I try to list the an nfs directory  from the webpage I've got this
error from rpc.gssd:

CC file '/tmp/krb5cc_500' is expired or corrupt

My distribution is Fedora 12 and i'm using nfs-utils 1.2.1.

WebAuth is configured to ask the client a forwardable ticket for
nfs/<mynfsserver>@<myrealm>. In my application's code I can see the
ticket and even do a klist with it. The output looks like this:

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: marc@<myrealm>

Valid starting     Expires            Service principal
10/28/10 20:15:17  10/29/10 20:15:15  nfs/<mynfsserver>@<myrealm>
    Flags: FAT

So my application never gets the krbtgt tickets. Considering security, I
believe this is a good point.

I must confess that I didn't manage to follow rpc.gssd process with gdb
or with ltrace.
So until I'm able to trace gssd execution all things that follows are
pure suppositions.


While trying to find a valid credential_cache gssd calls a function in
utils/krb5_utils.c, "check_for_tgt", that does this loop:

    while (!found&&   (ret = krb5_cc_next_cred(context, ccache,&cur,
&creds)) == 0) {
        if (creds.server->length == 2&&
                data_is_equal(creds.server->realm, principal->realm)&&
                creds.server->data[0].length == 6&&
->              memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&&
                data_is_equal(creds.server->data[1], principal->realm)&&
                creds.times.endtime>   time(NULL))
            found = 1;
        krb5_free_cred_contents(context,&creds);
    }


What I understand is that without a krbtgt entry, a credential cache
will be considered invalid.

Is there some reasons for this?
For what I've understand about kerberos protocol, a proxiable or
forwardable service ticket is sufficient to communicate with the nfs
server. But I may be wrong.


Thanks for your help.

Marc Schlinger




--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux