Red Hat Bugzilla – Bug 1273165
rpc.gssd should not assume that the machine account is in uppercase
Last modified: 2016-06-15 03:31:06 EDT
+++ This bug was initially created as a clone of Bug #1268040 +++
Description of problem:
rpc.gssd first looks for an entry of the form <HOSTNAME>$@<DOMAIN>, which corresponds to the Active Directory machine account. It assumes that <HOSTNAME> will be in uppercase because that's how the entry is created if the machine is joined to the domain using Samba.
But that's not necessarily the case if the another identity management solution (e.g. Centrify) is used...
Upstream commit f7b42b9e (gssd: select non-conventional principal) allows the hostname used in the search for a keytab entry for the machine account to overridden. However, in an environment with a lot of clients it may not be feasible to customize the krb5.conf on each of those clients.
rpc.gssd should first look for an entry that matches the unmodified hostname and then convert it to uppercase and try again only if that failed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Run rpc.gssd with -vvv and look at the logs
rpc.gssd searches for the machine account in all caps, for example:
Sep 28 16:40:03 smayhew-fedora rpc.gssd: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'
rpc.gssd should search for the machine account using the unmodified hostname (whether that be in lower case, mixed case, whatever) first. Note in my example it fails to find a machine account keytab entry with the hostname in lower caes because I don't have one in my keytab... the point is that it did the search:
Oct 1 12:03:52 smayhew-fedora rpc.gssd: No key table entry found for smayhew-fedora$@EXAMPLE.COM while getting keytab entry for 'smayhew-fedora$@EXAMPLE.COM'
Oct 1 12:03:52 smayhew-fedora rpc.gssd: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'
The following patch posted to the linux-nfs list addresses this:
nfs-utils-1.3.3-4.rc1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-66b96dbd3f
nfs-utils-1.3.3-4.rc1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.