On Mon, Nov 28, 2016 at 1:37 PM, Lukas Hejtmanek <xhejtman@xxxxxxxxxxx> wrote: > Hello, > > would it be acceptable to add an option for rpc.gssd to use host keytab if > user's kerberos ticket is not available? > > Consider the following scenario: > 1) machine has NFS mounted /home using kerberos authentication > 2) user logs in, sshd creates krb ticket ($HOME/.k5login needs to be world > readable to allow kerberized access, e.g., using kerberos ticket) > 3) user stays logged in and krb ticket expires > 4) kinit to renew ticket produces strange error because $HOME is not > accessible and a new ticket is not created. Why is kinit accessing something from $HOME. What distro are you using to run kinit (or any other info to explain use of $HOME)? I just ran kinit on RHEL7.2 and it nowhere does it read $HOME. What I read here is that user has expired creds and is trying to access a kerberized NFS file. The operation MUST fail, there is no way around it. There shouldn't be any fixes that would allow for a user to access files without credentials. So in the environment where for whatever reason your kinit requires read of $HOME, you must make sure credentials are refreshed before they expire. Steve has mentioned that sssd takes on this responsibility. > So, I think in this case, I would like to see rpc.gssd uses host keytab while > user's ticket is not available, which maps to nobody/nogroup, but kinit should > succeed. > > Or are there any other options if one is using kerberized homes only? > > -- > Lukáš Hejtmánek > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
