Hi everybody, We use pkinit and smartcard authentication at our company, we have configured it as follows,
= /etc/krb5.conf [libdefaults] default_realm = FOO.AD clockskew = 300 forwardable = true allow_weak_crypto = true # Pkinit options pkinit_identities = PKCS11:/usr/lib/libiidp11.so pkinit_anchors = FILE:/etc/openldap/cacerts/ROOTCA.cer pkinit_anchors = FILE:/etc/openldap/cacerts/ISSUING.cer pkinit_kdc_hostname = server.ad.foo pkinit_eku_checking = kpServerAuth pkinit_cert_match = matchingrule = The above config works as excepted. However, if we try to mount nfs with kerberos, with for example following command, mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ the rpc.gssd segfault's, and if you look in the log for it you will see, -- No key table entry found for [email protected]<mailto:[email protected]> E while getting keytab entry for 'XYZ.FOO.AD [email protected]' No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]' Success getting keytab entry for 'nfs/[email protected]' Segmentation fault -- If we remove the pkinit-options, the mount works like expected and you will see something like this in the log for rpc.gssd, -- No key table entry found for [email protected]<mailto:[email protected]> E while getting keytab entry for 'XYZ.FOO.AD [email protected]' No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]' Success getting keytab entry for 'nfs/[email protected]' Successfully obtained machine credentials for principal 'nfs/[email protected]' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD' -- So, basically my question is, How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used. Am I missing something ? Any hints are more then welcome. We are using RHEL 6.1 btw. Best regards, Patrik Martinsson, Sweden. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
