On Fri, 04 Jul 2014 16:36:12 +0200 Jaap Winius <jwin...@umrk.nl> wrote: > Package: nfs-common > Version: 1.2.6-4 > > NFS with sec=krb5i or sec=krb5p using MIT Kerberos does not work when > cross-realm authentication is used -- only when clients have an > Kerberos ticket for the same realm. This happens consistently and in > cases when cross-realm authentication does work with other services on > the same machine, such as SSH. >
... > The second set involves a user account with the same name, jwinius, > but with a Kerberos ticket from a different, albeit trusted realm: > UMRK.NL. This always results in an authentication failure: ... > The user experience ends with a "Permission denied" message, although > the client does receive a Kerberos service ticket despite the failure. > The rpc.idmapd daemon seems to translate the jwin...@umrk.nl account > to "jwin...@dapadam.nl" with user ID 10000. In some situations this > might be incorrect, but here it's okay because both accounts belong to > the same person. > > When authentication fails, the only evidence that I can see for this > in the server's log output is in the fifth line shown: > "nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND". Apparently, > the local Kerberos KDC is not interrogated and the trust entry for the > UMRK.NL realm is never discovered. You have not included the content of /etc/idmapd.conf. There are several options for translating principals, and if user names are the same in both realms a simple line like Local-Realms: DAPADAM.NL, UMRK.NL might do it. Arne Nordmark -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55a35290.2040...@mech.kth.se
