From: Chuck Lever <chuck.lever@oracle.com>
To: Jim Rees <rees@umich.edu>
Cc: Valentijn Sessink <valentyn@blub.net>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: Strange rpc.svcgssd behavior
Date: Tue, 16 Nov 2010 16:42:09 -0500 [thread overview]
Message-ID: <44C0977F-DBD6-4F87-B3A5-B2B66C784312@oracle.com> (raw)
In-Reply-To: <20101116205436.GA4595@merit.edu>
On Nov 16, 2010, at 3:54 PM, Jim Rees wrote:
> Chuck Lever wrote:
>
> Before we go too far down the NM path of no return, I was under the
> impression that some applications require the host's name on the localhost
> entries in /etc/hosts. That's why NM puts it there.
>
> There's nothing invalid about having a hostname on the localhost entries
> in /etc/hosts, is there?
>
> So I wonder if removing NM is really the solution here.
>
> No, it's not. I just like to complain about NM.
>
> The original problem was that rpc.svcgssd couldn't figure out the correct
> kerberos realm. The fix in this particular case, I think, is to set the
> realm explicitly in /etc/idmapd.conf.
It's having trouble determining the NFS server's hostname. It needs to find the right nfs/your.host key in /etc/krb5.keytab.
I don't know if realm self-discovery is an issue too.
> But a more general problem is that if you don't set a realm in
> /etc/idmapd.conf, the fallback is to whatever is returned by gethostname().
> Shouldn't the fallback be to what is in krb5.conf?
> In general, I think it's a mistake to assume that a host's security realm is
> the same as its dns domain, especially given host mobility, the lack of
> security in dns, and the existence of other methods (krb5.conf) to determine
> the security realm.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
next prev parent reply other threads:[~2010-11-16 21:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-15 17:39 Strange rpc.svcgssd behavior Chuck Lever
2010-11-16 15:58 ` Valentijn Sessink
2010-11-16 19:44 ` Valentijn Sessink
2010-11-16 20:17 ` Jim Rees
2010-11-16 20:22 ` Chuck Lever
2010-11-16 20:54 ` Jim Rees
2010-11-16 21:41 ` J. Bruce Fields
2010-11-16 21:42 ` Chuck Lever [this message]
2010-11-17 15:18 ` Steve Dickson
2010-11-17 15:30 ` Chuck Lever
2010-11-17 15:54 ` Kevin Coffman
2010-11-17 16:05 ` Chuck Lever
2010-11-17 16:26 ` Kevin Coffman
2010-11-17 17:51 ` Chuck Lever
2010-11-17 18:52 ` Valentijn Sessink
2010-11-17 16:15 ` Valentijn Sessink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44C0977F-DBD6-4F87-B3A5-B2B66C784312@oracle.com \
--to=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=rees@umich.edu \
--cc=valentyn@blub.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.