From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:53:18 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A55AA3DF15 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 6F50712C9 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 6E22CA3DF13; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53BEEA3DF12 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D34D12C8 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3lMp-0006a0-UI; Tue, 01 Dec 2015 16:53:15 +0300 Date: Tue, 1 Dec 2015 16:53:15 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201135315.GH31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:53:18 -0000 On Tue, Dec 01, 2015 at 08:41:46AM -0500, Rick Macklem wrote: > > > (Note that "host" here implies that the principal for the host-based > > > credential is > > > "host@.". --> What is after the "=" above is what is > > > before the > > > "@" in the host based principal name.) > > > Then system operations are done as nobody, but users are done as that user > > > (they need > > > > This is strange. I am mount (by automount) as: > > > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > > > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. > (It's somewhere in a man page and basically if you use these and an > RPC that does locking times out, you break the locking horribly.) W/o "intr" and "soft" I can got staled mount and process (till reboot). This is prodaction servers and this is unacceptable. Correct locking for me least important, as last resort I am do `umount -f` > Also, I never use automount. I'd suggest you try the mount command > typed manually and then once you have it working, then try the automount > and see if it works. I am debuging this manualy, yes. > > in rc.conf: > > gssd_enable="YES" > > gssd_flags="-h" > > > On the client, this looks correct. > > > In this case, I am can't login to user with $HOME on this NFS -- > > root (sshd run as root and PAM accounting run as root -- check > > .k5login and etc) totaly don't have access (10016). > > > This means that the client fell back to AUTH_SYS and the server > doesn't accept that. > > Getting a home directory to work is harder than it should be and I > don't even know how to make it work, because I haven't done it. > The login must do a "kinit" so the user has access to the volume > and I don't know how to set FreeBSD up to do the kinit as a part of > the login. It also must be done early enough in the login, so that > it happens before any access to the home dir is attempted. > (To be honest, unless there is a way to do this in FreeBSD, you > can forget about Kerberized NFS mounts for home dirs.) First access to home directory do as root, not as user. After root access ticket created in /tmp/krb5cc_UID and home succesuful accesed. > I would start by testing a mount that isn't a home directory, so you > can log into the machine (home dir not Kerberized NFS mounted) and > then the user can "kinit" and them "cd /kerberized/mount" and see > if it works. > --> Once that works, I don't know how to do the rest. > (I'm an NFS guy, not a Kerberos one.;-) > > Also, I don't know what effect having sshd etc running as root will > be, since they will then be seen as running by "nobody" on the server. As last resort I can export with -maproot=root. > > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > > script, but may be gssd is best for this functionality? > > > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". > (I wrote the code essentially cloning what "kinit -k" did.) For mount only, not for root access from sshd, as I see.