TechQA.

Why does a client machine need a kerberos service principal

414 views Asked by At

I'm trying to understand Kerberos and getting confused with the service principals. Assume I wanna access a NFS share secured by Kerberos.

I have the following three different nodes:

  1. A Client machine (with a user called test)
  2. KDC (AS/TGS)
  3. NFS Server

Now the KDC contains the principal database with the user called test. Further the KDC contains also a nfs/DOMAINNAMEFROMNFSSERVER principal. This principal is also shared with the NFS server using a keytab. In order to establish a kerberized nfs session, the user test is requesting a TGT from the KDC.

But why all the examples in the internet tell that the Client machine needs also a keytab which should contain the nfs/DOMAINNAMEFROMNFSSERVER principal?

I understand that the service principal need only be present in the KDC database and directly on the NFS server (using a keytab). Could somebody please clarify why the keytab need also be present on the Client?

Thanks in advance for your help!

kerberos mit-kerberos
Original Q&A
2

There are 2 answers

0
Najmuddin On

Refer: man rpc.gssd, it contains the answer the question in detail. btw, the principal on the client can be different than nfs/@REALM.

Snip from the man page: 

   Machine Credentials
   A  user credential is established by a user and is then shared with the kernel and rpc.gssd.  A machine credential is established by rpc.gssd for
   the kernel when there is no user.  Therefore rpc.gssd must already have the materials on hand to establish this credential without requiring user
   intervention.

   rpc.gssd searches the local system's keytab for a principal and key to use to establish the machine credential.  By default, rpc.gssd assumes the
   file /etc/krb5.keytab contains principals and keys that can be used to obtain machine credentials.

   rpc.gssd searches in the following order for a principal to use.  The first matching credential is used.  For the search, <hostname> and  <REALM>
   are replaced with the local system's hostname and Kerberos realm.

      <HOSTNAME>$@<REALM>
      root/<hostname>@<REALM>
      nfs/<hostname>@<REALM>
      host/<hostname>@<REALM>
      root/<anyname>@<REALM>
      nfs/<anyname>@<REALM>
      host/<anyname>@<REALM>
0
Ravi OpenSource On

Basically the client needs machine credential to connect to the kerberized nfs server. You have to add a nfs/<client_fully_qualified_name> principal in KDC and then add into the local client keytab.

Related Questions in KERBEROS

Related Questions in MIT-KERBEROS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions