On Thu, Dec 08, 2016 at 08:18:02AM -0500, Andy Adamson wrote: > On Thu, Dec 8, 2016 at 7:36 AM, Lukas Hejtmanek <xhejtman@xxxxxxxxx> wrote: > > This discussion seems to be a bit fubar. So I start over again. > > > > I see three problems if $HOME is Kerberized NFS volume, I will call this NFS > > client machine. > > > > 1) user logs via SSH to the NFS client machine using GSS API, i.e., the user > > has a Kerberos ticket. > > Did the user use kinit -f (to obtain a forwardable ticket)? > > Do you enable credential forwarding? e.g. does the .ssh/config file contain > > GSSAPIDelegateCredentials yes yes, but it does not help, the ticket is recreated bit later during log on process. > Yes. Isn't this the issue that forwardable kerberos tickets and ssh > with GSSAPI is designed to solve? > > Why does the user want to login to the NFS client machine using the > ssh public key and not kinit -f and use forwardable tickets? Or have I > misunderstood..... well, for some reason for sshfs, user does not want to play with renewable ticket, he wants just public key. But yes, instead of ssh public key, one can use forwardable ticket but those needs to be recreated/refreshed (we have limit for ticket duration 1 day, 7 days renewable). -- Lukáš Hejtmánek -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
