Hello Marc, This sounds like a bug. This should be considered a valid credentials cache (without a TGT). I don't have the cycles to attempt a fix, nor am I sure what the correct fix would be. I hope someone else does! K.C. On Fri, Oct 29, 2010 at 4:40 AM, Marc Schlinger <marc.schlinger@xxxxxxxxxxxx> wrote: > > Hello, > > I'm using WebAuth to authenticate my user and provide them a mean to > join their NFSv4 files through a web page. > I'd like to have the kerberos credentials used by the web server, but I > didn't managed to impersonate the kerberos user with nfsv4 in a webauth > protected page. > When I try to list the an nfs directory from the webpage I've got this > error from rpc.gssd: > > CC file '/tmp/krb5cc_500' is expired or corrupt > > My distribution is Fedora 12 and i'm using nfs-utils 1.2.1. > > WebAuth is configured to ask the client a forwardable ticket for > nfs/<mynfsserver>@<myrealm>. In my application's code I can see the > ticket and even do a klist with it. The output looks like this: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: marc@<myrealm> > > Valid starting Expires Service principal > 10/28/10 20:15:17 10/29/10 20:15:15 nfs/<mynfsserver>@<myrealm> > Flags: FAT > > So my application never gets the krbtgt tickets. Considering security, I > believe this is a good point. > > I must confess that I didn't manage to follow rpc.gssd process with gdb > or with ltrace. > So until I'm able to trace gssd execution all things that follows are > pure suppositions. > > > While trying to find a valid credential_cache gssd calls a function in > utils/krb5_utils.c, "check_for_tgt", that does this loop: > > while (!found&& (ret = krb5_cc_next_cred(context, ccache,&cur, > &creds)) == 0) { > if (creds.server->length == 2&& > data_is_equal(creds.server->realm, principal->realm)&& > creds.server->data[0].length == 6&& > -> memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&& > data_is_equal(creds.server->data[1], principal->realm)&& > creds.times.endtime> time(NULL)) > found = 1; > krb5_free_cred_contents(context,&creds); > } > > > What I understand is that without a krbtgt entry, a credential cache > will be considered invalid. > > Is there some reasons for this? > For what I've understand about kerberos protocol, a proxiable or > forwardable service ticket is sufficient to communicate with the nfs > server. But I may be wrong. > > > Thanks for your help. > > Marc Schlinger > > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html