From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:48:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DEEBA3DD21 for ; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 014E61E1C for ; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 0043BA3DD20; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F402DA3DD1F for ; Tue, 1 Dec 2015 13:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id A96261E1B for ; Tue, 1 Dec 2015 13:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:f7ciuhGY3Er6vjNn2AwzGp1GYnF86YWxBRYc798ds5kLTJ75osiwAkXT6L1XgUPTWs2DsrQf27SQ6/irAz1IyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/niabqo9aJMk1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYPlc3mhyJFiezF7W78a0+4N/oWwL46pyv50IbaKvRKAxUrUQKzAmNH4+5MDtth7dBV+U4mQ0QHUH1AFQCU7f8UepcI32t37At+F+kAyTNs7yQLV8DS6n5qxoTBLtoDoAOCM09HnXzMd52vEI6Cm9rgByltaHKLqeM+BzK/vQ X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQDNo11W/61jaINehA5vBr4yAQ2BZhcKhSRKAoF8FAEBAQEBAQEBgQmCLYIIAQEEAQEBIAQnIAsFCwIBCA4KAgINGQICJwEJJgIECAIFBAEcBIgNDas9hTKLUQEBAQEBAQEDAQEBAQEBAQEXBIEBhVOEfoQ7AQEFgzOBRAWNInaIP4UqhSKfSwIfAQFCghEdgXQgNAeEKTqBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,369,1444708800"; d="scan'208";a="253582228" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 08:48:07 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 8A33415F56D; Tue, 1 Dec 2015 08:48:07 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 63ZmClBGT-Ev; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id D3B0015F56E; Tue, 1 Dec 2015 08:48:06 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id r6f_oHg-vo_L; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B607515F56D; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Date: Tue, 1 Dec 2015 08:48:06 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <182789855.113222942.1448977686720.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201134009.GG31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> <20151201134009.GG31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: uH7yHcZCbBtuQmLVdOn5XLPuaUQO+Q== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:48:09 -0000 Slawa Olhovchenkov wrote: > On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote: > > > Slawa Olhovchenkov wrote: > > > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > > > > > > > In GSS, the host based principal is @.. This > > > > translates to: /.@ in the > > > > KDC. > > > > > > > > > > > > > For example: > > > > nfs-client.my.home - DNS name of the client machine > > > > MYREALM - Realm for Kerberos KDC > > > > - I want to have root work as "root". > > > > --> I go to the KDC and create a principal name: > > > > root/nfs-client.my.home@MYREALM > > > > --> Then I create a keytab entry for this principal and transfer it > > > > to > > > > /etc/krb5.keytab on the client machine (nfs-client.my.home). > > > > --> Then I mount with: -o nfsv4,gssname=root > > > > and non-root users will have to kinit to access the server as > > > > themselves. > > > > > > Is there a difference between gssname=host > > > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root > > > (and create and expoprt additional root/nfs-client.my.home@MYREALM)? > > Oops, I was wrong. It shouldn't matter what the name before "@" is in the > > client's keytab entry. > > On old code I did for this (OpenBSD way back when), I had an option on the > > gssd that would look up the name in the passwd database and create > > credentials > > for that user. > > > > >From "man gssd" and a look at the code, that was never done for FreeBSD. > > > > Sorry for misleading you, rick > > ps: If I had done it and you used the option, then "root@..." would have > > become > > "root" on the server, etc. > > > > You plan to use (in this case) in gssd principal > root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM > for root access? Last case is prefered for me, I am create > host/`hostname` in any case (for ssh access), and unnecessary to > create additional root/`hostname`. > Actually I avoid Kerberos like the plague, so I don't plan on doing anything with it. I can't even remember if the host based credential becomes nobody or root on the server, although I thought it was nobody. The traditional "security" game is "don't let any RPC be run as root". If someone thinks having a way for the host-based credential work as root is a needed feature, they'll either need to come up with a patch or talk to me really nicely and try and convince me to do it. (Remember I don't get paid $$$ to do this and since I hate working with Kerberos...;-) Personally, I wish there was a public key system supported by the GSS, since using something like that would make more sense to me than messing with Kerberos, but that isn't what the protocol gods have done. rick > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >