On 10/14/2011 11:54 AM, Martinsson Patrik wrote: > Hi Douglas, > > Thanks a bunch for the suggestion, i thought i tried it before, but with no > success. However I thought I would give it one more try, so I added, > > preauth_options = X509_user_identity=PKCS11:/usr/lib/libiidp11.so > > to our appdefaults-pam-secition and it worked like a charm. > > > I tried to do the same with an kinit-specific-section, but that didn't work. > Im not sure how kinit reads the options, if I manually add "-X > X509_user_identity=PKCS11:/usr/lib/libiidp11.so" to the commandline, it works > as expected. I wonder though if its possible to make kinit work with options > from the appdefaults-kinit-section, and if it is, how they should look in the > configfile. Anyone knows this, or where I can find documentation about how > kinit read options ? >
Looks like kinit.c does not use the krb5_appsdefault() to get additional options, This is a good case for why it should. > To get pam working is kind of enough though, if the user specifically need to > run kinit, he/she can add the option manually. > > > /Patrik > > > > -----Ursprungligt meddelande----- > Från: [email protected] [mailto:[email protected]] För Douglas > E. Engert > Skickat: den 14 oktober 2011 17:26 > Till: [email protected] > Ämne: Re: pkinit and nfs > > > > On 10/14/2011 3:56 AM, Martinsson Patrik wrote: >> Hi everybody, >> >> We use pkinit and smartcard authentication at our company, we have >> configured it as follows, >> >> = >> /etc/krb5.conf >> >> [libdefaults] >> default_realm = FOO.AD >> clockskew = 300 >> forwardable = true >> allow_weak_crypto = true >> >> # Pkinit options >> pkinit_identities = PKCS11:/usr/lib/libiidp11.so >> pkinit_anchors = FILE:/etc/openldap/cacerts/ROOTCA.cer >> pkinit_anchors = FILE:/etc/openldap/cacerts/ISSUING.cer >> pkinit_kdc_hostname = server.ad.foo >> pkinit_eku_checking = kpServerAuth >> pkinit_cert_match = matchingrule >> = >> >> The above config works as excepted. >> >> However, if we try to mount nfs with kerberos, with for example >> following command, mount -t nfs4 -o sec=krb5 fs:/vol/ /nfstest/ the >> rpc.gssd segfault's, and if you look in the log for it you will see, >> >> -- >> No key table entry found for [email protected]<mailto:[email protected]> E while >> getting keytab entry for 'XYZ.FOO.AD [email protected]' >> No key table entry found for root/[email protected] while getting keytab >> entry for 'root/[email protected]' >> Success getting keytab entry for 'nfs/[email protected]' >> Segmentation fault >> -- >> >> >> If we remove the pkinit-options, the mount works like expected and you >> will see something like this in the log for rpc.gssd, >> >> -- >> No key table entry found for [email protected]<mailto:[email protected]> E while >> getting keytab entry for 'XYZ.FOO.AD [email protected]' >> No key table entry found for root/[email protected] while getting keytab >> entry for 'root/[email protected]' >> Success getting keytab entry for 'nfs/[email protected]' >> Successfully obtained machine credentials for principal >> 'nfs/[email protected]' stored in ccache 'FILE:/tmp/krb5cc_machine_FOO.AD' > > > You may want to try and move the pkinit_identities to an appdefault section > in the krb5.conf, for pam or kinit or other application that can use pkinit. > >> -- >> >> >> So, basically my question is, >> >> How do I setup krb5.conf to get nfs not use pkinit, whilst when for example >> doing a regular "kinit" pkinit should be used. >> >> Am I missing something ? >> >> Any hints are more then welcome. >> We are using RHEL 6.1 btw. >> >> Best regards, >> Patrik Martinsson, Sweden. >> >> >> >> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
