Date: Fri, 5 Feb 2010 15:19:19 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-current@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: Kerberized NFSv3 incorrect behavior (revisited) Message-ID: <Pine.GSO.4.63.1002051515270.17768@muncher.cs.uoguelph.ca> In-Reply-To: <4B6C3258.7050607@eng.auth.gr> References: <4B6C3258.7050607@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 5 Feb 2010, George Mamalakis wrote: > shows no tickets. This could be also a security threat, in case different > kerberos principals (users in this setup) use a shared machine account to > logon, and then access their resources by kiniting to their respective > principals. > The kernel only knows the effective uid and the current gssd assumes that there will be "one" user principal with a TGT in /tmp/krb5cc_N (where 'N' is that uid#). Having multiple principals sharing the same login/uid (which I'm guessing is what you refer to as a "shared machine account", isn't going to work. I suppose that the gssd could do a "uid"->"username"->"principal name" mapping and then use that "principal name", but it is still going to be unique (ie only one) per uid. rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1002051515270.17768>