Hi Douglas, Thanks a bunch for the suggestion, i thought i tried it before, but with no success. However I thought I would give it one more try, so I added,
preauth_options = X509_user_identity=PKCS11:/usr/lib/libiidp11.so to our appdefaults-pam-secition and it worked like a charm. I tried to do the same with an kinit-specific-section, but that didn't work. Im not sure how kinit reads the options, if I manually add "-X X509_user_identity=PKCS11:/usr/lib/libiidp11.so" to the commandline, it works as expected. I wonder though if its possible to make kinit work with options from the appdefaults-kinit-section, and if it is, how they should look in the configfile. Anyone knows this, or where I can find documentation about how kinit read options ? To get pam working is kind of enough though, if the user specifically need to run kinit, he/she can add the option manually. /Patrik -----Ursprungligt meddelande----- Från: [email protected] [mailto:[email protected]] För Douglas E. Engert Skickat: den 14 oktober 2011 17:26 Till: [email protected] Ämne: Re: pkinit and nfs On 10/14/2011 3:56 AM, Martinsson Patrik wrote: > Hi everybody, > > We use pkinit and smartcard authentication at our company, we have > configured it as follows, > > = > /etc/krb5.conf > > [libdefaults] > default_realm = FOO.AD > clockskew = 300 > forwardable = true > allow_weak_crypto = true > > # Pkinit options > pkinit_identities = PKCS11:/usr/lib/libiidp11.so > pkinit_anchors = FILE:/etc/openldap/cacerts/ROOTCA.cer > pkinit_anchors = FILE:/etc/openldap/cacerts/ISSUING.cer > pkinit_kdc_hostname = server.ad.foo > pkinit_eku_checking = kpServerAuth > pkinit_cert_match = matchingrule > = > > The above config works as excepted. > > However, if we try to mount nfs with kerberos, with for example > following command, mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ the > rpc.gssd segfault's, and if you look in the log for it you will see, > > -- > No key table entry found for [email protected]<mailto:[email protected]> E while getting > keytab entry for 'XYZ.FOO.AD [email protected]' > No key table entry found for root/[email protected] while getting keytab > entry for 'root/[email protected]' > Success getting keytab entry for 'nfs/[email protected]' > Segmentation fault > -- > > > If we remove the pkinit-options, the mount works like expected and you > will see something like this in the log for rpc.gssd, > > -- > No key table entry found for [email protected]<mailto:[email protected]> E while getting > keytab entry for 'XYZ.FOO.AD [email protected]' > No key table entry found for root/[email protected] while getting keytab > entry for 'root/[email protected]' > Success getting keytab entry for 'nfs/[email protected]' > Successfully obtained machine credentials for principal > 'nfs/[email protected]' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD' You may want to try and move the pkinit_identities to an appdefault section in the krb5.conf, for pam or kinit or other application that can use pkinit. > -- > > > So, basically my question is, > > How do I setup krb5.conf to get nfs not use pkinit, whilst when for example > doing a regular "kinit" pkinit should be used. > > Am I missing something ? > > Any hints are more then welcome. > We are using RHEL 6.1 btw. > > Best regards, > Patrik Martinsson, Sweden. > > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
