Hello everyone, I've got a tricky problem that's been gnawing at me for the past few days or so. First, a little background:
We're running an active directory setup with the usual Windows domain controllers (they're Windows 2000, if it matters) but users' home directories are stored on a Linux box running Samba. Our other Linux servers will need to get at these homes for various reasons. Our setup is fine with NFSv3, but we were looking to gain security and move up to NFSv4 with Kerberos authentication. NFSv4 won't allow people to access their home directories without a valid Kerberos ticket for their principal. If this could be turned off somehow, that'd be one way to fix this issue (all_squashing to root doesn't sound particularly appealing) otherwise I need users to be able to get their Kerberos ticket on login. That works fine as long as ldap is not listed in nsswitch.conf. The problem is we need to use ldap to fetch user info. So, here's a quick example in case I wasn't clear enough: I ssh to our server using my domain credentials, kdorf and password. If I have a local user account on that machine and ldap is *not* listed in nsswitch.conf, I can login using my domain password and a valid Kerberos ticket is fetched for me -- I get access to my home. If I don't have a local account on that machine and ldap *is* listed in nsswitch.conf, I can login using my domain password but `klist` shows that I do *not* have a valid Kerberos ticket. Home directory access is denied. I need to have valid Kerberos tickets fetched for ldap users. Alternatively, I would like NFSv4 to not sweat people about Kerberos tickets to access their homes. Is this possible? Thanks in advance for your help. John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
