On Wed, 08 Mar 2017, Scott Mayhew wrote:
Hi Neil,
On Wed, 08 Mar 2017, NeilBrown wrote:
Hi, I recently tried using gssproxy for krb5 authentication with nfsd. This was because customer is using an AD kerberos master which uses certificates which are too big for svcgssd to work with (i.e. larger than one page).
Unfortunately it doesn't work.
The svcgssd code in nfs-utils calls gss_display_name() to get the name of the principal. This returns something like "user@domain".
getpwnam() works perfectly on this (when nsswitch is set to use "winbind") but svcgssd goes further and uses nfs4_gss_princ_to_ids() to perform the lookup. Presumably this is more general?
gssproxy does neither of these. It uses gss_localname() to get the user name, which returns something like "user".
Are using SSSD by any chance? I had a similar issue in RHEL maybe a year ago. If you're using SSSD there's a localauth plugin that needs to be enabled that will cause krb5_aname_to_localname() (which is called by gss_localname()) to return a fully-qualified username instead of the short username.
Err, never mind... I see up above that you said you were using Winbind...
-Scott
It then calls getpwnam() on that, which fails ("user@domain" or "domain\user" both succeed).
I have modified my copy to use gss_display_name() instead of gss_localname() and it now appears to work perfectly ... for this use-case at least.
What is the right way forward here? Is nfs4_gss_princ_to_ids() really necessary? Should gssproxy use it, at least for requests from the NFS server? Is there are good reason not to use gss_display_name() uniformly? Maybe use gss_local_name(), and it that fails, or getpwnam fails, use gss_display_name()??
Thanks, NeilBrown