Here is the horses mouth, disguised as the sssd mailing list. Thanks Timo.
[SSSD] sssd and kerberos.
Timo Aaltonen tjaalton at cc.hut.fi
Thu Aug 5 15:25:48 UTC 2010
Previous message: [SSSD] sssd and kerberos.
Next message: [SSSD] sssd and kerberos.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 5 Aug 2010, Patrik Martinsson wrote:
> Hey,
>
> I got this working today with these settings,
>
> ldap_uri = ldap://foo.bar
> ldap_sasl_mech = gssapi
> ldap_krb5_keytab = /etc/krb5.keytab
> ldap_sasl_authid = nfs/xx.xxxx.xx
....
<snip>
Looks like you need kerberized NFS? See this patch that I made for
nfs-utils:
http://users.tkk.fi/~tjaalton/0001-Check-for-AD-style-machine-principal-name.patch
still not accepted upstream, but I'm hoping for the best. With this you
don't need to add "nfs/*" UPN:s, gssd will initialize and use HOSTNAME$
just fine.
Maybe a similar approach could be used with sssd, so there would be no
need to specify the authid (which is different for every hostname)?
ps. still fighting with the installation.. so can't test the above and
post logs just yet. Tomorrow, I promise :)
--
Timo Aaltonen
Systems Specialist, Aalto IT
Previous message: [SSSD] sssd and kerberos.
Next message: [SSSD] sssd and kerberos.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the sssd-devel mailing list
Confirmation from rpc.gsssd(8)
rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now:
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>