Client authentication question
Kevin Coffman
kwc at citi.umich.edu
Mon Dec 10 11:58:02 EST 2007
On Dec 10, 2007 11:40 AM, J. Bruce Fields <bfields at fieldses.org> wrote:
> On Mon, Dec 10, 2007 at 03:52:22PM +0100, Lukas Hejtmanek wrote:
> > when using Kerberos for authentication, the client must possess krb5.keytab to
> > be able to mount NFS volume from the server with krb extensions. However, the
> > krb5.keytab is bound with the client IP and hostname. In such a case, the
> > client may not migrate to another network (where he gets another IP and
> > invalides krb5.keytab from the previous network). Is this a desired feature or
> > something that should work (I mean the migration).
> >
> > Regarding the migration - I do not need live migration with mounted file
> > system, I just want to be able to mount the share in any network from my home
> > NFS server. Is there any solution for this if I want the kerberos
> > authentication?
>
> I do krb5-authenticated mounts from my laptop all the time, and it works
> just fine. It'll keep using the one keytab regardless of whatever IP it
> has on the current network.
>
> --b.
Re-reading this, it strikes me that perhaps you are getting Kerberos
tickets with addresses. If that is the case, you may need to add
something like
[libdefaults]
...
noaddresses = true
no-addresses = true
to your /etc/krb5.conf to get tickets that are not associated with an
IP address. This became the default at some point (for MIT Kerberos),
but I don't recall offhand when that was. The "no-addresses" version
is for Heimdal.
More information about the NFSv4
mailing list