On Wed, 13 Nov 2013 04:15:26 +0000 "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote: > On Tue, 2013-11-12 at 22:46 -0500, J. Bruce Fields wrote: > > > OK, but it still seems dumb to even attempt the reverse lookup: the > > lookup probably isn't secure, and the mount commandline should have a > > name that we can match to a krb5 principal without needing any other > > lookups. > > > > So I'd think reasonable behavior in this case would be to just try the > > IP address on the chance there's actually an nfs/x.y.z.w@REALM > > principal. (Or just fail outright if kerberos doesn't allow principals > > that look like that.) > > Looking through the krb5.conf manpage etc it looks as if a lot of this > functionality should be covered by the krb protocol itself without us > needing to do explicit reverse lookups in rpc.gssd. I'm thinking of the > 'canonicalize' and 'rdns' options, for instance. Am I wrong? > I suspect there is a good chance that you are correct, though my man page only mentions "rdns", not "canonicalize" so there may be some version dependency to think about. However I think fixing this is a separate (though related) issue to fixing my current problem and would probably require more code examination and testing than I feel inclined to at the moment. So I'll leave this side of the question alone and just fix the bit that is clearly broken. Thanks, NeilBrown
Attachment:
signature.asc
Description: PGP signature
