Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Dec 2015 08:48:06 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Slawa Olhovchenkov <slw@zxy.spb.ru>
Cc:        hackers@freebsd.org
Subject:   Re: NFSv4 details and documentations
Message-ID:  <182789855.113222942.1448977686720.JavaMail.zimbra@uoguelph.ca>
In-Reply-To: <20151201134009.GG31314@zxy.spb.ru>
References:  <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> <20151201134009.GG31314@zxy.spb.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov wrote:
> On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote:
> 
> > Slawa Olhovchenkov wrote:
> > > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote:
> > > 
> > > > In GSS, the host based principal is <some-string>@<host>.<domain>. This
> > > > translates to:  <some-string>/<host>.<domain>@<KERBEROS-REALM> in the
> > > > KDC.
> > > 
> > > 
> > > 
> > > > For example:
> > > >   nfs-client.my.home - DNS name of the client machine
> > > >   MYREALM - Realm for Kerberos KDC
> > > >   - I want to have root work as "root".
> > > > --> I go to the KDC and create a principal name:
> > > >    root/nfs-client.my.home@MYREALM
> > > >    --> Then I create a keytab entry for this principal and transfer it
> > > >    to
> > > >        /etc/krb5.keytab on the client machine (nfs-client.my.home).
> > > >    --> Then I mount with: -o nfsv4,gssname=root
> > > >        and non-root users will have to kinit to access the server as
> > > >        themselves.
> > > 
> > > Is there a difference between gssname=host
> > > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root
> > > (and create and expoprt additional root/nfs-client.my.home@MYREALM)?
> > Oops, I was wrong. It shouldn't matter what the name before "@" is in the
> > client's keytab entry.
> > On old code I did for this (OpenBSD way back when), I had an option on the
> > gssd that would look up the name in the passwd database and create
> > credentials
> > for that user.
> > 
> > >From "man gssd" and a look at the code, that was never done for FreeBSD.
> > 
> > Sorry for misleading you, rick
> > ps: If I had done it and you used the option, then "root@..." would have
> > become
> >     "root" on the server, etc.
> > 
> 
> You plan to use (in this case) in gssd principal
> root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM
> for root access? Last case is prefered for me, I am create
> host/`hostname` in any case (for ssh access), and unnecessary to
> create additional root/`hostname`.
> 
Actually I avoid Kerberos like the plague, so I don't plan on doing anything
with it. I can't even remember if the host based credential becomes nobody or
root on the server, although I thought it was nobody.
The traditional "security" game is "don't let any RPC be run as root". If someone
thinks having a way for the host-based credential work as root is a needed feature,
they'll either need to come up with a patch or talk to me really nicely and try and
convince me to do it. (Remember I don't get paid $$$ to do this and since I hate
working with Kerberos...;-)

Personally, I wish there was a public key system supported by the GSS, since
using something like that would make more sense to me than messing with Kerberos,
but that isn't what the protocol gods have done.

rick

> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?182789855.113222942.1448977686720.JavaMail.zimbra>