Kerberos, ADS and NFSv4
Edward Murrell
edward at dlconsulting.com
Mon Aug 28 23:10:18 BST 2006
Timo Aaltonen wrote:
> On Mon, 28 Aug 2006, Edward Murrell wrote:
>
>
> It's working fine here. The server is a Data ONTAP 7.1 (NetApp), though.
> Sudo is making life a bit difficult though, since the credentials are not
> delegated to the sudoed root (ie. you can't access your $HOME..).
>
That's odd. I can definitely use my credentials in sudo. Is this with
Heimdal or MIT Kerberos?
The fact that it's working for other people implies that I've either
done something silly (probably to do with the idmap daemon), or that the
Ubuntu serverside stuff is busted somewhere.
I've also had a weird problem where using Kerberos authenticated logins
on PAM put the tickets in;
/tmp/krb5cc_$UID_$RANDCHARS
Whereas the nfs4 kernel module goes looking in
/tmp/krb5cc_$UID
This creates a small problem if you're mouting your /home over NFSv4!
How did you get around this problem?
> Samba4 has been able to do this for a while now (it uses Heimdal
> internally). It's still in alpha, though.. If only the MIT-people used the
> same reverse-engineered code, then we might have an M$-compliant free/open
> KDC sooner.
>
>
I plan to test Samba4 as soon as it makes it out of alpha and/or is made
into stable Ubuntu packages. If I understand how this is done correctly,
it shouldn't matter what the KDC is running for the purposes of
Authentication, this means that I should be able to plug Samba4 directly
into my MIT KDC and expect it to work properly. In theory.
Edward
More information about the ubuntu-devel
mailing list