Problem with krb5 authentification, server under a NAT
Olga Kornievskaia
aglo at citi.umich.edu
Tue Apr 22 15:06:24 EDT 2008
J. Bruce Fields wrote:
> On Tue, Apr 22, 2008 at 06:19:09PM +0200, Quentin Godfroy wrote:
>
>> Hi,
>>
>> I have a problem with krb5 authentification and nfsv4:
>>
>> basically the server is behind a NAT which over I do not have much control.
>> To mount exported partitions I use socat on the NAT and redirect some TCP port
>> (actually 2050 because 2049 is firewalled) to the port 2049 on the server. I
>> can successfuly mount with auth=sys,port=2050, but I am unable to mount with
>> kerberos authentification. The problem seems to lie within rpc.gssd which does
>> not care for the port setting and tries to contact the server on port 2049.
>>
>> I suppose the same could happen with nfsv{2,3} (provided the mountd port is
>> redirected as well)
>>
>> Is this a problem you were aware of?
>>
>> I suppose fixing it may require a change in the callback between the kernel
>> and rpc.gssd?
>>
>
> What kernel are you on? As of 2.6.24 (more specifically:
>
> bf19aacecbeebccb2c3d150a8bd9416b7dba81fe "nfs: add server port
> to rpc_pipe info file"
>
> the kernel does give gssd the information it needs to figure out which
> port the server is on.
>
> Looks to me like gssd doesn't yet use that yet, though. Olga, did you
> have a patch to make gssd read the "port:" line from the info file?
>
We'll try to create a new nfs-utils-citi-all patch that includes this,
but for now try the attached file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-gssd_read_port.patch
Type: text/x-patch
Size: 0 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20080422/9de596de/attachment.bin
More information about the NFSv4
mailing list