Date: Mon, 30 Jan 1995 16:27:29 +0000 (GMT) From: Doug Rabson <dfr@render.com> To: hackers@FreeBSD.org Subject: NFS with kerberos authentication Message-ID: <Pine.BSF.3.91.950130161202.27708D-100000@minnow.render.com>
next in thread | raw e-mail | index | archive | help
I just saw this mentioned in the list and I thought I would give it a try and see if it worked. The main problem with it was that the client's user side authentication (in mount_nfs) was getting the wrong ticket file. The code was using setreuid to try and change the real uid to the uid of the user which needed authenticating. This has two problems: 1. setreuid() isn't fully supported in FreeBSD-2.0, specifically, mount_nfs's use of it was not supported. 2. Mount_nfs has no way of determining the correct ticket file to use since it cannot examine the KRBTKFILE environment variable of the process which initiated the authentication request. I 'solved' it by leaving the uids alone and constructing the name of the ticket file in the same way as src/usr.bin/login/klogin.c. This only works for ordinary instances and fails for root instances since they generally override the name of the default ticket file with the KRBTKFILE variable. I think that what is really needed is for the process which is authenticating to register the name of its ticket file and for this name to be sent to mount_nfs to use for the authentication. There also needs to be a minor change to krb_kntoln() to return 'root' as the login name for root instances, otherwise nfsd will error when trying to recieve the authenticator for clients using a root instance. -- Doug Rabson, RenderMorphics Ltd. Mail: dfr@render.com Phone: +44 71 251 4411 FAX: +44 71 251 0939
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.950130161202.27708D-100000>