Hello Marc,
This sounds like a bug. This should be considered a valid credentials
cache (without a TGT). I don't have the cycles to attempt a fix, nor
am I sure what the correct fix would be. I hope someone else does!
K.C.
On Fri, Oct 29, 2010 at 4:40 AM, Marc Schlinger
<marc.schlinger@xxxxxxxxxxxx> wrote:
>
> Hello,
>
> I'm using WebAuth to authenticate my user and provide them a mean to
> join their NFSv4 files through a web page.
> I'd like to have the kerberos credentials used by the web server, but I
> didn't managed to impersonate the kerberos user with nfsv4 in a webauth
> protected page.
> When I try to list the an nfs directory from the webpage I've got this
> error from rpc.gssd:
>
> CC file '/tmp/krb5cc_500' is expired or corrupt
>
> My distribution is Fedora 12 and i'm using nfs-utils 1.2.1.
>
> WebAuth is configured to ask the client a forwardable ticket for
> nfs/<mynfsserver>@<myrealm>. In my application's code I can see the
> ticket and even do a klist with it. The output looks like this:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: marc@<myrealm>
>
> Valid starting Expires Service principal
> 10/28/10 20:15:17 10/29/10 20:15:15 nfs/<mynfsserver>@<myrealm>
> Flags: FAT
>
> So my application never gets the krbtgt tickets. Considering security, I
> believe this is a good point.
>
> I must confess that I didn't manage to follow rpc.gssd process with gdb
> or with ltrace.
> So until I'm able to trace gssd execution all things that follows are
> pure suppositions.
>
>
> While trying to find a valid credential_cache gssd calls a function in
> utils/krb5_utils.c, "check_for_tgt", that does this loop:
>
> while (!found&& (ret = krb5_cc_next_cred(context, ccache,&cur,
> &creds)) == 0) {
> if (creds.server->length == 2&&
> data_is_equal(creds.server->realm, principal->realm)&&
> creds.server->data[0].length == 6&&
> -> memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&&
> data_is_equal(creds.server->data[1], principal->realm)&&
> creds.times.endtime> time(NULL))
> found = 1;
> krb5_free_cred_contents(context,&creds);
> }
>
>
> What I understand is that without a krbtgt entry, a credential cache
> will be considered invalid.
>
> Is there some reasons for this?
> For what I've understand about kerberos protocol, a proxiable or
> forwardable service ticket is sufficient to communicate with the nfs
> server. But I may be wrong.
>
>
> Thanks for your help.
>
> Marc Schlinger
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
