Bug#753732: NFS sec=krb5 does not work with cross-realm
On Fri, 04 Jul 2014 16:36:12 +0200 Jaap Winius <jwinius@umrk.nl> wrote:
> Package: nfs-common
> Version: 1.2.6-4
>
> NFS with sec=krb5i or sec=krb5p using MIT Kerberos does not work when
> cross-realm authentication is used -- only when clients have an
> Kerberos ticket for the same realm. This happens consistently and in
> cases when cross-realm authentication does work with other services on
> the same machine, such as SSH.
>
...
> The second set involves a user account with the same name, jwinius,
> but with a Kerberos ticket from a different, albeit trusted realm:
> UMRK.NL. This always results in an authentication failure:
...
> The user experience ends with a "Permission denied" message, although
> the client does receive a Kerberos service ticket despite the failure.
> The rpc.idmapd daemon seems to translate the jwinius@UMRK.NL account
> to "jwinius@dapadam.nl" with user ID 10000. In some situations this
> might be incorrect, but here it's okay because both accounts belong to
> the same person.
>
> When authentication fails, the only evidence that I can see for this
> in the server's log output is in the fifth line shown:
> "nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND". Apparently,
> the local Kerberos KDC is not interrogated and the trust entry for the
> UMRK.NL realm is never discovered.
You have not included the content of /etc/idmapd.conf.
There are several options for translating principals, and if user names
are the same in both realms a simple line like
Local-Realms: DAPADAM.NL, UMRK.NL
might do it.
Arne Nordmark
Reply to: