Date: Mon, 15 Apr 2024 15:14:18 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Andreas Kempe <kempe@lysator.liu.se> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <CAM5tNy4RdD4xNj49k=85k%2Bo9N0ep9pHLb3TAdBJ460VsX1P_Qg@mail.gmail.com> In-Reply-To: <Zh2FqXMQgq9rcc-A@shipon.lysator.liu.se> References: <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com> <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se> <CAM5tNy68W16ut4vR1Y9xxPwaU%2BT%2Bt8fU8dwg3DbfhMT5h5iEDQ@mail.gmail.com> <ZgVKehV_9ePUBdwd@shipon.lysator.liu.se> <CAM5tNy4ye6BwYAZ%2BVYQOgDnSjAmyg%2BCCu=XCm-%2BDZucfrfwgKw@mail.gmail.com> <CAM5tNy4%2BbUc0VMY8i_E9P-pT0CEOXHpKzitMuKYzydH465OBGg@mail.gmail.com> <ZgiIAyDKPlCr1c9C@shipon.lysator.liu.se> <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com> <Zhv1jtKU8lRdKOul@shipon.lysator.liu.se> <CAM5tNy5a-CALZdrHhCQ1akmR3=BqeEK8EFb6UxZ%2BCOp38u3bTg@mail.gmail.com> <Zh2FqXMQgq9rcc-A@shipon.lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 15, 2024 at 12:53=E2=80=AFPM Andreas Kempe <kempe@lysator.liu.s= e> wrote: > > On Sun, Apr 14, 2024 at 12:30:22PM -0700, Rick Macklem wrote: > > On Sun, Apr 14, 2024 at 8:26=E2=80=AFAM Andreas Kempe <kempe@lysator.li= u.se> wrote: > > > Am I correct in thinking that Kerberos isn't really designed to be > > > used for only authenticating the machine? Users having to always have > > > their own valid Kerberos ticket doesn't really work for us. > > Yes. The "host" keytab credential is a "hack". Kerberos calls them > > service principals and they were not intended to authenticate a machine > > when Kerberos was designed. > > > > If users are running cron jobs, then one way around the problem > > is to have the KDC issue renewable tickets and then run a daemon > > (can't remember the name, but it is easy to find and opensourced) > > that renews TGTs. (This only works up to the renew limit of the KDC > > config.) > > > > I have seen that this should be possible, the Linux SSSD daemon can do > that. We do still have the issue of users having to log on to every > system after a reboot to init a ticket so I still don't think it would > be ideal for us. > > > NFS-over-TLS (called RPC-over-TLS by the Linux folk) does allow > > a client to provide a X.509 certificate during TLS handshake to > > identify the client machine and the TLS encrypts everything on > > the wire to avoid middleman attacks or snoopers. > > It does not identify users on the server, unless TLS identity > > squashing is used via the X.509 certificate to make all RPCs > > done by a user. (This has the advantage that it is not "nobody", > > but is only useful for things like laptops, that are only used by > > one user. It does have the advantage that there are no tickets > > to expire, although there is a, usually long, expiration on the X.509 > > certificate.) > > > > If I'm running NFS with TLS without TLS identity squashing, does this > mean that users are resolved the same way they are with sec=3Dsys? It depends on what mount options are used. For FreeBSD clients, sec=3Dsys is the default, so that is what will be used unless "sec=3Dkrb5" is specifi= ed. I am not sure how the Linux client decides this. (It may be sec=3Dsys as well, but I am not sure?) > If > so, this could be the solution we are looking for if I can make sure > that all our Linux systems that need to mount have a new enough Linux > kernel to support it. Yep. I know the kernel patches now exist, but I do not know what kernel version you need to get them. rick > > // Andreas Kempe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy4RdD4xNj49k=85k%2Bo9N0ep9pHLb3TAdBJ460VsX1P_Qg>