Timo Aaltonen
2010-04-21 12:30:21 UTC
Hi!
There was a patch proposed some time ago to add a new option to feed the
name of the machine principal to gssd to make it work on an AD realm
without the need to create nfs/* service principals on the KDC. The
downside of the patch is that it doesn't scale that well, since you still
need to give the parameter, and the principal name is different for
every host.
The better way to handle it would be to test HOSTNAME$@REALM in the code,
probably before {root,nfs,host}/$fqdn (like on that old patch), since
otherwise host/ will match and bail out from find_keytab_entry().
The hostname and realm need to be capitalized, so it needs a new
function. Should I come up with a patch or is this something that has been
discussed already and shot down? :)
There was a patch proposed some time ago to add a new option to feed the
name of the machine principal to gssd to make it work on an AD realm
without the need to create nfs/* service principals on the KDC. The
downside of the patch is that it doesn't scale that well, since you still
need to give the parameter, and the principal name is different for
every host.
The better way to handle it would be to test HOSTNAME$@REALM in the code,
probably before {root,nfs,host}/$fqdn (like on that old patch), since
otherwise host/ will match and bail out from find_keytab_entry().
The hostname and realm need to be capitalized, so it needs a new
function. Should I come up with a patch or is this something that has been
discussed already and shot down? :)
--
Timo Aaltonen
Systems Specialist
IT Services, Aalto University
Timo Aaltonen
Systems Specialist
IT Services, Aalto University