The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions.
Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.
Workaround patch 0001-MS-PAC-Special-case-NFS-services.patch
The attached patch should fix this issue, untested.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=878462
I tested the patch with master and it works as expected.
First I run kvno with different service principals and just looked at the size change of the ccache file. With s nfs/ service principial the increase was clearly smaller (about half the size) than with e.g. host/ or ldap/ principals.
As a second test I put the nfs/ keys into /etc/krb5.keytab as only keys and used them with sssd. With trying a password authentication for a user from a trusted domain the nfs/ is used to validate the TGT of the user. In a second step sssd tries to extract the PAC from the validation ticket. As expected sssd wasn't able to find a PAC in the nfs/ validation ticket.
Simo, please send the patch to the freeipa-devel list and I will ACK it.
master: 5269458
ipa-3-0: 592dd9f
Merge KDC LDAP components to one.
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.