NFS + Kerberos

[Momchil Ivanov]

On Tue, February 19, 2013 12:56 am, Rick Macklem wrote:
> Thanks to Elias's hard work, a bug/fix has just been isolated in the
> Kerberos library that causes the gssd to fail to translate a principal
> to a uid. The fix is to increase the size of the buffer passed to
> getpwnam_r(). See this thread:
> http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw
>
> I haven't run into this bug, so I don't know what systems are affected,
> but it would explain why you can't get it working.
>
> I'd suggest you apply the patch in the email (increase buf to 1024) and
> then try again with libraries built with the patch.

Do I have to aplly the patch to the server only and then rebuild world or
do I have to do the same on the client too? And do I need to rebuild
heimdal on both machines?

btw, I checked the logs of the kdc and could not see any trace of the nfs
server trying to validate the client's ticket... Frankly, I don't know
that should I expect there, I haven't used kerberos before, so I have no
idea if it's related to the bug. Here is part of the log:

AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
No preauth found, returning PREAUTH-REQUIRED -- user at EXAMPLE.LOCAL
sending 407 bytes to IPv4:X.X.X.X
AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
Client sent patypes: encrypted-timestamp
Looking for PKINIT pa-data -- user at EXAMPLE.LOCAL
Looking for ENC-TS pa-data -- user at EXAMPLE.LOCAL
ENC-TS Pre-authentication succeeded -- user at EXAMPLE.LOCAL using des-cbc-crc
Client supported enctypes: des-cbc-crc
Using des-cbc-crc/aes256-cts-hmac-sha1-96
AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime:
2013-02-12T09:45:39 renew till: unset
sending 552 bytes to IPv4:X.X.X.X

Thank you,
Momchil