Fw: SSO with telnet/rlogin/rsh

Kevin Coffman kwc at citi.umich.edu
Mon Jan 28 09:10:27 EST 2008 

Trimming the kerberos list from the reply since this isn't a Kerberos issue.

On a local RHEL 5 machine, nfs-utils-lib-1.0.8-7.2.z2 includes the
pkgconfig information for librpcsecgss.  It is in /usr/lib64/pkgconfig
here.

[root at pdsi1 ~]# rpm -q --filesbypkg nfs-utils-lib-1.0.8-7.2.z2
nfs-utils-lib             /usr/lib64/libnfsidmap.la
nfs-utils-lib             /usr/lib64/libnfsidmap.so.0
nfs-utils-lib             /usr/lib64/libnfsidmap.so.0.2.0
nfs-utils-lib             /usr/lib64/librpcsecgss.la
nfs-utils-lib             /usr/lib64/librpcsecgss.so.2
nfs-utils-lib             /usr/lib64/librpcsecgss.so.2.0.1
nfs-utils-lib             /usr/lib64/pkgconfig/libnfsidmap.pc
nfs-utils-lib             /usr/lib64/pkgconfig/librpcsecgss.pc
nfs-utils-lib             /usr/share/doc/libnfsidmap/AUTHORS
nfs-utils-lib             /usr/share/doc/libnfsidmap/ChangeLog
nfs-utils-lib             /usr/share/doc/libnfsidmap/NEWS
nfs-utils-lib             /usr/share/doc/libnfsidmap/README
nfs-utils-lib             /usr/share/doc/librpcsecgss/AUTHORS
nfs-utils-lib             /usr/share/doc/librpcsecgss/ChangeLog
nfs-utils-lib             /usr/share/doc/librpcsecgss/NEWS
nfs-utils-lib             /usr/share/doc/librpcsecgss/README
nfs-utils-lib             /usr/share/man/man3/nfs4_uid_to_name.3.gz


On Jan 28, 2008 6:10 AM, Ido Levy <IDOL at il.ibm.com> wrote:
> Hello,
>
> We are trying to compile nfs-utils-1.0.11 on RHEL 5.1 and get the following
> error:
>
> configure: error: Unable to locate information required to use
> librpcsecgss.  If you have pkgconfig installed, you might try setting
> environment variable PKG_CONFIG_PATH to /usr/local/lib/pkgconfig
>
> We have pkgconfig RPM, pkgconfig-0.21-1.fc6, installed and contain the
> following files:
> /usr/bin/pkg-config
> /usr/lib/pkgconfig
> /usr/share/aclocal/pkg.m4
> /usr/share/man/man1/pkg-config.1.gz
>
> We try to set PKG_CONFIG_PATH to /usr/lib/pkgconfig but it doesn't help the
> same error appears again.
>
> Any advice would be appreciated
>
> Thanks,
>
> Ido Levy
>
>
>
>
>              "Kevin Coffman"
>              <kwc at citi.umich.e
>              du>                                                        To
>              Sent by:                  Ido Levy/Haifa/IBM at IBMIL
>              kwcoffman at gmail.c                                          cc
>              om                        kerberos at mit.edu, Olga
>                                        Dodin/Haifa/IBM at IBMIL
>                                                                    Subject
>              01/15/2008 06:05          Re: Fw: SSO with telnet/rlogin/rsh
>              PM
>
>
>
> The latest versions of rpc.gssd look at file ownership rather than the
> name.  (It does narrow the field by looking for "krb5cc_*", then
> looking at file ownership.)  This change went into nfs-utils-1.0.11.
>
> Unfortunately, gssd has no access to the user's environment variables
> and cannot use that to determine the credentials cache file to use
> when creating a context.
>
> K.C.
>
> On Jan 15, 2008 9:53 AM, Ido Levy <IDOL at il.ibm.com> wrote:
> >
> > We did a dipper investigation of this issue and found out that the
> > difference between sshd and telnetd is in the user credential cache file
> > name.
> > While ssh to the machine the credential cache file name is composed using
> > the numeric uid of the user like /tmp/krb5cc_XXXX. On the other hand
> while
> > telnet to the machine the credential cache file name is composed using
> the
> > telnet process number.
> > As a result rpc.gssd is unable to find the credential cache file for the
> > user since it tries to look for the files having the numeric uid as part
> of
> > their name.
> >
> > In the /tmp directory the following file was created:
> >
> >       ls -ltr /tmp/krb5cc_*
> >       -rw------- 1 user_name bin 431 Jan 15 16:41 /tmp/krb5cc_p3715
> >
> > Note that 3715 is the pid of the telnet process.
> >
> > Following is the output of the rpc.gssd daemon when we use telnet to
> enter
> > the machine:
> >
> > xinetd[3713]: START: telnet pid=3715 from=x.xxx.xx.xx
> > rpc.gssd[1934]: handling krb5 upcall
> > rpc.gssd[1934]: Using keytab file '/etc/krb5.keytab'
> > rpc.gssd[1934]: INFO: Credentials in CC
> 'MEMORY:/tmp/krb5cc_machine_REALM'
> > are good until 1200491925
> > rpc.gssd[1934]: using MEMORY:/tmp/krb5cc_machine_REALM as credentials
> cache
> > for machine creds
> > rpc.gssd[1934]: using environment variable to select krb5 ccache
> > MEMORY:/tmp/krb5cc_machine_REALM
> > rpc.gssd[1934]: creating context using fsuid 0 (save_uid 0)
> > rpc.gssd[1934]: creating tcp client for server nfs_server.domain
> > rpc.gssd[1934]: creating context with server nfs at nfs_server.domain
> > rpc.gssd[1934]: DEBUG: serialize_krb5_ctx: lucid version!
> > rpc.gssd[1934]: prepare_krb5_rfc1964_buffer: serializing keys with
> enctype
> > 4 and length 8
> > rpc.gssd[1934]: doing downcall
> > rpc.gssd[1934]: handling krb5 upcall
> > rpc.gssd[1934]: getting credentials for client with uid XXXX for server
> > nfs_server.domain
> > rpc.gssd[1934]: using FILE:/tmp/krb5cc_XXXX as credentials cache for
> client
> > with uid XXXX for server nfs_server.domain
> > rpc.gssd[1934]: using environment variable to select krb5 ccache
> > FILE:/tmp/krb5cc_XXXX
> > rpc.gssd[1934]: creating context using fsuid XXXX (save_uid 0)
> > rpc.gssd[1934]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified
> > GSS failure.  Minor code may provide more information - No credentials
> > cache found
> > rpc.gssd[1934]: WARNING: Failed while limiting krb5 encryption types for
> > user with uid XXXX
> > rpc.gssd[1934]: WARNING: Failed to create krb5 context for user with uid
> > XXXX for server nfs_server.domain
> > rpc.gssd[1934]: doing error downcall
> >
> >
> > Ido & Olga
> >
> >              Ido
> >              Levy/Haifa/IBM
> >
> To
> >              01/07/2008              kerberos at mit.edu
> >              11:08 PM
> cc
> >
> >
> Subject
> >                                      SSO with telnet/rlogin/rsh
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hello,
> >
> > I am trying to set up SSO in a Linux environment which has the following
> > components up and running:.
> >
> >       Kerberos 5
> >       LDAP
> >       Kerberized NFSv4 ( security flavor krb5 )
> >       Automount
> >
> > When using ssh everything works fine, tickets ( for both user and nfs )
> are
> > forward and when the user login to a machine both tickets are set.
> > Unfortunately when using telnet/rlogin/rsh ( the ones that shipped with
> > krb5-workstation ) the user login to the machine
> > but fails to cd to his home directory which is automounted using
> kerberized
> > ( kerberos 5 ) NFSv4.
> > When issuing 'klist -5' just the user principal is presented and not the
> > NFS principal.
> >
> > Does anyone successfully set SSO with telnet/rlogin/rsh in a kerberized
> > NFSv4 environment when using automount.
> >
> > Thanks,
> >
> > Ido Levy
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
>
>

More information about the NFSv4 mailing list