Kerberized NFSv3 incorrect behavior (revisited)

Rick Macklem rmacklem at uoguelph.ca
Fri Feb 5 20:08:12 UTC 2010



On Fri, 5 Feb 2010, George Mamalakis wrote:

> shows no tickets. This could be also a security threat, in case different 
> kerberos principals (users in this setup) use a shared machine account to 
> logon, and then access their resources by kiniting to their respective 
> principals.
>
The kernel only knows the effective uid and the current gssd assumes
that there will be "one" user principal with a TGT in /tmp/krb5cc_N
(where 'N' is that uid#). Having multiple principals sharing the
same login/uid (which I'm guessing is what you refer to as a
"shared machine account", isn't going to work.

I suppose that the gssd could do a "uid"->"username"->"principal name"
mapping and then use that "principal name", but it is still going to
be unique (ie only one) per uid.

rick



More information about the freebsd-current mailing list