On Thu, Dec 8, 2016 at 8:23 AM, Lukas Hejtmanek <xhejtman@xxxxxxxxx> wrote: > On Thu, Dec 08, 2016 at 08:18:02AM -0500, Andy Adamson wrote: >> On Thu, Dec 8, 2016 at 7:36 AM, Lukas Hejtmanek <xhejtman@xxxxxxxxx> wrote: >> > This discussion seems to be a bit fubar. So I start over again. >> > >> > I see three problems if $HOME is Kerberized NFS volume, I will call this NFS >> > client machine. >> > >> > 1) user logs via SSH to the NFS client machine using GSS API, i.e., the user >> > has a Kerberos ticket. >> >> Did the user use kinit -f (to obtain a forwardable ticket)? >> >> Do you enable credential forwarding? e.g. does the .ssh/config file contain >> >> GSSAPIDelegateCredentials yes > > yes, but it does not help, the ticket is recreated bit later during log on > process. > >> Yes. Isn't this the issue that forwardable kerberos tickets and ssh >> with GSSAPI is designed to solve? >> >> Why does the user want to login to the NFS client machine using the >> ssh public key and not kinit -f and use forwardable tickets? Or have I >> misunderstood..... > > well, for some reason for sshfs, user does not want to play with renewable > ticket, do you mean forwardable ticket? > he wants just public key. But yes, instead of ssh public key, one can > use forwardable ticket but those needs to be recreated/refreshed (we have > limit for ticket duration 1 day, 7 days renewable). BTW: All kerberos tickets need to be refreshed/renewed. No exceptions :) Wait. The user is willing to ssh into the NFS client machine using the ssh public key and the type kinit and enter a password, but not willing to kinit -f enter a password and then ssh into the NFS client machine using GSSAPI an forwardable tickets? Do I have this right? -->Andy > > -- > Lukáš Hejtmánek -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
