#3263 Special case NFS related ticket to avoid attaching MS-PACs
Closed: Fixed None Opened 11 years ago by simo.

The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions.

Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.


The attached patch should fix this issue, untested.

I tested the patch with master and it works as expected.

First I run kvno with different service principals and just looked at the size change of the ccache file. With s nfs/ service principial the increase was clearly smaller (about half the size) than with e.g. host/ or ldap/ principals.

As a second test I put the nfs/ keys into /etc/krb5.keytab as only keys and used them with sssd. With trying a password authentication for a user from a trusted domain the nfs/ is used to validate the TGT of the user. In a second step sssd tries to extract the PAC from the validation ticket. As expected sssd wasn't able to find a PAC in the nfs/ validation ticket.

Simo, please send the patch to the freeipa-devel list and I will ACK it.

Merge KDC LDAP components to one.

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 3.0.2

7 years ago

Login to comment on this ticket.

Metadata