On 10/14/2011 3:56 AM, Martinsson Patrik wrote: > Hi everybody, > > We use pkinit and smartcard authentication at our company, we have configured > it as follows, > > = > /etc/krb5.conf > > [libdefaults] > default_realm = FOO.AD > clockskew = 300 > forwardable = true > allow_weak_crypto = true > > # Pkinit options > pkinit_identities = PKCS11:/usr/lib/libiidp11.so > pkinit_anchors = FILE:/etc/openldap/cacerts/ROOTCA.cer > pkinit_anchors = FILE:/etc/openldap/cacerts/ISSUING.cer > pkinit_kdc_hostname = server.ad.foo > pkinit_eku_checking = kpServerAuth > pkinit_cert_match = matchingrule > = > > The above config works as excepted. > > However, if we try to mount nfs with kerberos, with for example following > command, > mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ > the rpc.gssd segfault's, and if you look in the log for it you will see, > > -- > No key table entry found for [email protected]<mailto:[email protected]> E while getting > keytab entry for 'XYZ.FOO.AD [email protected]' > No key table entry found for root/[email protected] while getting keytab > entry for 'root/[email protected]' > Success getting keytab entry for 'nfs/[email protected]' > Segmentation fault > -- > > > If we remove the pkinit-options, the mount works like expected and you will > see something like this in the log for rpc.gssd, > > -- > No key table entry found for [email protected]<mailto:[email protected]> E while getting > keytab entry for 'XYZ.FOO.AD [email protected]' > No key table entry found for root/[email protected] while getting keytab > entry for 'root/[email protected]' > Success getting keytab entry for 'nfs/[email protected]' > Successfully obtained machine credentials for principal > 'nfs/[email protected]' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD'
You may want to try and move the pkinit_identities to an appdefault section in the krb5.conf, for pam or kinit or other application that can use pkinit. > -- > > > So, basically my question is, > > How do I setup krb5.conf to get nfs not use pkinit, whilst when for example > doing a regular "kinit" pkinit should be used. > > Am I missing something ? > > Any hints are more then welcome. > We are using RHEL 6.1 btw. > > Best regards, > Patrik Martinsson, Sweden. > > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
