diff options
author | Jason Gunthorpe <jgunthorpe@obsidianresearch.com> | 2011-02-09 11:27:19 -0500 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2011-02-09 11:33:32 -0500 |
commit | 45e4597bd570ed40221f51887cde7d7f096f55e7 (patch) | |
tree | 195ae858569b1fcf4984a254b495e96c36f26800 /utils/gssd/gssd.man | |
parent | 730f6986f86873513fa021a450eb55ccd0f2fbff (diff) | |
download | nfs-utils-45e4597bd570ed40221f51887cde7d7f096f55e7.tar.gz nfs-utils-45e4597bd570ed40221f51887cde7d7f096f55e7.tar.xz nfs-utils-45e4597bd570ed40221f51887cde7d7f096f55e7.zip |
Support AD style kerberos automatically in rpc.gss
An Active Directory KDC will only grant a TGT for UPNs, getting
a TGT for SPNs is not possible:
$ kinit -k host/ib5@ADS.ORCORP.CA
kinit: Client not found in Kerberos database while getting initial
credentials
The correct thing to do for machine credentials is to get a TGT
for the computer UPN <HOSTNAME>$@REALM:
$ kinit -k IB5\$
$ klist
12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
this patch makes gssd_refresh_krb5_machine_credential prefer it above
the SPNs if it is present.
The net result is that nfs client works automatically out of the box
if samba has been used to setup kerberos via 'net ads join' 'net ads
keytab create'
Tested using Windows Server 2003 R2 as the AD server.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'utils/gssd/gssd.man')
-rw-r--r-- | utils/gssd/gssd.man | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 0a23cd6..073379d 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -53,6 +53,8 @@ To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now: .br + <HOSTNAME>$@<REALM> +.br root/<hostname>@<REALM> .br nfs/<hostname>@<REALM> @@ -64,6 +66,9 @@ for "machine credentials" is now: nfs/<anyname>@<REALM> .br host/<anyname>@<REALM> +.IP +If this search order does not use the correct key then provide a +keytab file that contains only correct keys. .TP .B -p path Tells |