[Freeipa-users] kerberized nfsv4 client
hi, probably a stupid question but why do we need to have a host spn in the kerberos domain for the nfsv4 client to work? I do not need a host spn principal to access a cifs share on a Windows AD environment, I can just kinit user@AD.domain from my laptop that is not joined to the AD domain and once I got the ticket I can use smbclient -k or with the nautilus file manager I can browse to the shares get the cifs tickets accessing the shares. With kerberized nfsv4 the host needs to be joined to the ipa domain or it will not work, and that is a shame, but there surely is a perfectly valid reason for this that I have not found yet. Thanks for your insights on this matter. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized nfsv4 client
Because with NFS (v3 or v4) it is a bit more complicated. With smbclient, you are actually not mounting the filesystem so that the smbclient is happy with just your TGT. With NFS, you typically need two tickets: 1. one host (or nfs) so that root can mount the filesystem using Kerberos security 2. second user TGT so that you can actually read the (already) mounted filesystem But you can run gssd with the -n argument which tells it not to look for SPNs (actually this is not SPN, we are talking about UPN in this case), but take a TGT from already pre-created kerberos database in /tmp So yes, with a bit of effort you can use kerberized NFS even from a client not joined to IPA domain. Ondrej -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of natxo asenjo Sent: Wednesday, August 28, 2013 11:44 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] kerberized nfsv4 client hi, probably a stupid question but why do we need to have a host spn in the kerberos domain for the nfsv4 client to work? I do not need a host spn principal to access a cifs share on a Windows AD environment, I can just kinit user@AD.domain from my laptop that is not joined to the AD domain and once I got the ticket I can use smbclient -k or with the nautilus file manager I can browse to the shares get the cifs tickets accessing the shares. With kerberized nfsv4 the host needs to be joined to the ipa domain or it will not work, and that is a shame, but there surely is a perfectly valid reason for this that I have not found yet. Thanks for your insights on this matter. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized nfsv4 client
On 08/28/2013 12:00 PM, Ondrej Valousek wrote: Because with NFS (v3 or v4) it is a bit more complicated. With smbclient, you are actually not mounting the filesystem so that the smbclient is happy with just your TGT. With NFS, you typically need two tickets: 1. one host (or nfs) so that root can mount the filesystem using Kerberos security even though one mounts it from autofs? When using autofs from /net/host/share I can do that as non-root. 2. second user TGT so that you can actually read the (already) mounted filesystem But you can run gssd with the -n argument which tells it not to look for SPNs (actually this is not SPN, we are talking about UPN in this case), but take a TGT from already pre-created kerberos database in /tmp So yes, with a bit of effort you can use kerberized NFS even from a client not joined to IPA domain. ok, nice to know. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
