From: Cedric Blancher <cedric.blancher@gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: Steve Dickson <steved@redhat.com>, Jurjen Bokma <j.bokma@rug.nl>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
kerberos <kerberos@mit.edu>
Subject: Re: How to use NFS with multiple principals in different realms?
Date: Wed, 17 Sep 2014 22:30:29 +0200 [thread overview]
Message-ID: <CALXu0UcQ9YGTLnrjs5+AmVstAWmZ1QcNqOVeYyE-b_ktbfqvjw@mail.gmail.com> (raw)
In-Reply-To: <20140917110528.130aeb7b@willson.usersys.redhat.com>
On 17 September 2014 17:05, Simo Sorce <simo@redhat.com> wrote:
> On Wed, 17 Sep 2014 13:20:19 +0200
> Cedric Blancher <cedric.blancher@gmail.com> wrote:
>
>> What happens if there is no relation between KRB Realm names and
>> FQDN/DNS? Can the NFS client find out which KRB Realm is used by the
>> server?
>
> Depending on the environment you may have 1 or 2 ways.
>
> 1. add domain to realm mapping in the appropriate section in krb5.conf
> on the client.
> 2. allow the KDC to send back a referral (but not all clients will ask
> their own KDC, some can do only 1).
But how can 1. help? Sure I can have my own krb5.conf but AFAIK
rpc.gssd only looks at he system /etc/krb5.conf and not at any custom
user defined location. Basically mount(8) would have to pass the
location of the custom krb5.conf file to rpc.gssd to facilitate the
mount, right?
I *think* we have a bigger problem here: Kerberos5 support in NFS
appears to be designed around the philosophy of one realm per machine
(one-to-rule-them'-all) and not that a single user or machine has
mounts from many different realms, right?
Ced
--
Cedric Blancher <cedric.blancher@gmail.com>
Institute Pasteur
next prev parent reply other threads:[~2014-09-17 20:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-04 9:04 How to use NFS with multiple principals in different realms? Cedric Blancher
2014-09-04 9:33 ` Jurjen Bokma
2014-09-04 11:25 ` Cedric Blancher
2014-09-04 12:32 ` Jurjen Bokma
2014-09-04 18:35 ` Simo Sorce
2014-09-10 0:31 ` Cedric Blancher
2014-09-10 2:18 ` Nordgren, Bryce L -FS
2014-09-10 6:47 ` Trond Myklebust
2014-09-10 13:06 ` Simo Sorce
2014-09-17 11:20 ` Cedric Blancher
2014-09-17 15:05 ` Simo Sorce
2014-09-17 20:30 ` Cedric Blancher [this message]
2014-09-17 21:31 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALXu0UcQ9YGTLnrjs5+AmVstAWmZ1QcNqOVeYyE-b_ktbfqvjw@mail.gmail.com \
--to=cedric.blancher@gmail.com \
--cc=j.bokma@rug.nl \
--cc=kerberos@mit.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.