8:24 a.m.
I'm sorry, I'm very far from an expert in GSS/krb5. In particular, I've
never used NFS and gssd together, so I have no personal experience.
Maybe someone else on the list can help?
For questions like this, our default has been "what does knfsd do?" Do
you happen to know if knfsd accepts "shorthostname(a)REALM.COM" as a root
user?
Daniel
On 1/18/20 11:50 PM, Pushpesh Sharma wrote:
Hi All,
Any pointers are appreciated..
-pushpesh
*From:* Pushpesh Sharma <pushpeshs(a)vmware.com>
*Sent:* Thursday, January 16, 2020 7:45 PM
*To:* devel(a)lists.nfs-ganesha.org
*Subject:* [NFS-Ganesha-Devel] Default KRB Principal name with new
rpc.gssd
Hi All,
We are trying to use ganehsa with KRB. On NFS client centos7.5 we are
joining Active Directory based using sssd(AD based KRB Realm). For
root user we are getting krb ticket using kinit and valid AD user.
Client principal while joining domain using sssd a default principal
of shorthostname$(a)REALM.COM <mailto:shorthostname$@REALM.COM> is
always generated. gss.rpcd by default send this principal as principal
user name to ganesha server. Client do have other principal like
nfs/client_fdqn(a)REALM.COM <mailto:nfs/client_fdqn@REALM.COM>. But as
per rpc.gssd documentation <mailto:rpc.gssd%20documentation> as well
first choice would be shorthostname$(a)REALM.COM
<mailto:shorthostname$@REALM.COM>.
Due to this server always recognize root user as someone else i.e.
shorthostname$(a)REALM.COM <mailto:shorthostname$@REALM.COM>.
We do see in src/idmapper/idmapper.c
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
handling for mapping three principal patterns nfs/* , root/*, host/*
to uid=0, gid=0. So this left shorthostname$(a)REALM.COM
<mailto:horthostname$@REALM.COM> principal not being recognized as root.
We are of the opinion that doing a small fix in above idmapper code to
add this pattern as well can fix this issue.
But we wanted to know any security concern around it? Or if the client
behavior can be change in any way, so we don’t need this fix?
If we try removing this shorthostname$(a)REALM.COM
<mailto:shorthostname$@REALM.COM>principal after domain join, sssd
cannot be re-loaded and complains about not finding this principal.
Thanks
-pushpesh
_______________________________________________
Devel mailing list -- devel(a)lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave(a)lists.nfs-ganesha.org