Hello,
I'm using WebAuth to authenticate my user and provide them a mean to
join their NFSv4 files through a web page.
I'd like to have the kerberos credentials used by the web server, but I
didn't managed to impersonate the kerberos user with nfsv4 in a webauth
protected page.
When I try to list the an nfs directory from the webpage I've got this
error from rpc.gssd:
CC file '/tmp/krb5cc_500' is expired or corrupt
My distribution is Fedora 12 and i'm using nfs-utils 1.2.1.
WebAuth is configured to ask the client a forwardable ticket for
nfs/<mynfsserver>@<myrealm>. In my application's code I can see the
ticket and even do a klist with it. The output looks like this:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: marc@<myrealm>
Valid starting Expires Service principal
10/28/10 20:15:17 10/29/10 20:15:15 nfs/<mynfsserver>@<myrealm>
Flags: FAT
So my application never gets the krbtgt tickets. Considering security, I
believe this is a good point.
I must confess that I didn't manage to follow rpc.gssd process with gdb
or with ltrace.
So until I'm able to trace gssd execution all things that follows are
pure suppositions.
While trying to find a valid credential_cache gssd calls a function in
utils/krb5_utils.c, "check_for_tgt", that does this loop:
while (!found&& (ret = krb5_cc_next_cred(context, ccache,&cur,
&creds)) == 0) {
if (creds.server->length == 2&&
data_is_equal(creds.server->realm, principal->realm)&&
creds.server->data[0].length == 6&&
-> memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&&
data_is_equal(creds.server->data[1], principal->realm)&&
creds.times.endtime> time(NULL))
found = 1;
krb5_free_cred_contents(context,&creds);
}
What I understand is that without a krbtgt entry, a credential cache
will be considered invalid.
Is there some reasons for this?
For what I've understand about kerberos protocol, a proxiable or
forwardable service ticket is sufficient to communicate with the nfs
server. But I may be wrong.
Thanks for your help.
Marc Schlinger
Hello Marc,
This sounds like a bug. This should be considered a valid credentials
cache (without a TGT). I don't have the cycles to attempt a fix, nor
am I sure what the correct fix would be. I hope someone else does!
K.C.
On Fri, Oct 29, 2010 at 4:40 AM, Marc Schlinger
<[email protected]> wrote:
>
> Hello,
>
> I'm using WebAuth to authenticate my user and provide them a mean to
> join their NFSv4 files through a web page.
> I'd ?like to have the kerberos credentials used by the web server, but I
> didn't managed to impersonate the kerberos user with nfsv4 in a webauth
> protected page.
> When I try to list the an nfs directory ?from the webpage I've got this
> error from rpc.gssd:
>
> CC file '/tmp/krb5cc_500' is expired or corrupt
>
> My distribution is Fedora 12 and i'm using nfs-utils 1.2.1.
>
> WebAuth is configured to ask the client a forwardable ticket for
> nfs/<mynfsserver>@<myrealm>. In my application's code I can see the
> ticket and even do a klist with it. The output looks like this:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: marc@<myrealm>
>
> Valid starting ? ? Expires ? ? ? ? ? ?Service principal
> 10/28/10 20:15:17 ?10/29/10 20:15:15 ?nfs/<mynfsserver>@<myrealm>
> ? ?Flags: FAT
>
> So my application never gets the krbtgt tickets. Considering security, I
> believe this is a good point.
>
> I must confess that I didn't manage to follow rpc.gssd process with gdb
> or with ltrace.
> So until I'm able to trace gssd execution all things that follows are
> pure suppositions.
>
>
> While trying to find a valid credential_cache gssd calls a function in
> utils/krb5_utils.c, "check_for_tgt", that does this loop:
>
> ? ?while (!found&& ? (ret = krb5_cc_next_cred(context, ccache,&cur,
> &creds)) == 0) {
> ? ? ? ?if (creds.server->length == 2&&
> ? ? ? ? ? ? ? ?data_is_equal(creds.server->realm, principal->realm)&&
> ? ? ? ? ? ? ? ?creds.server->data[0].length == 6&&
> -> ? ? ? ? ? ? ?memcmp(creds.server->data[0].data, "krbtgt", 6) == 0&&
> ? ? ? ? ? ? ? ?data_is_equal(creds.server->data[1], principal->realm)&&
> ? ? ? ? ? ? ? ?creds.times.endtime> ? time(NULL))
> ? ? ? ? ? ?found = 1;
> ? ? ? ?krb5_free_cred_contents(context,&creds);
> ? ?}
>
>
> What I understand is that without a krbtgt entry, a credential cache
> will be considered invalid.
>
> Is there some reasons for this?
> For what I've understand about kerberos protocol, a proxiable or
> forwardable service ticket is sufficient to communicate with the nfs
> server. But I may be wrong.
>
>
> Thanks for your help.
>
> Marc Schlinger
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at ?http://vger.kernel.org/majordomo-info.html
>
>