From owner-freebsd-hackers  Mon Jan 30 08:29:07 1995
Return-Path: hackers-owner
Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id IAA04601 for hackers-outgoing; Mon, 30 Jan 1995 08:29:07 -0800
Received: from minnow.render.com (render.demon.co.uk [158.152.30.118]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id IAA04593 for <hackers@freebsd.org>; Mon, 30 Jan 1995 08:28:45 -0800
Received: (from dfr@localhost) by minnow.render.com (8.6.9/8.6.9) id QAA28181; Mon, 30 Jan 1995 16:27:30 GMT
Date: Mon, 30 Jan 1995 16:27:29 +0000 (GMT)
From: Doug Rabson <dfr@render.com>
To: hackers@FreeBSD.org
Subject: NFS with kerberos authentication
Message-ID: <Pine.BSF.3.91.950130161202.27708D-100000@minnow.render.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

I just saw this mentioned in the list and I thought I would give it a try 
and see if it worked.  The main problem with it was that the client's 
user side authentication (in mount_nfs) was getting the wrong ticket 
file.  The code was using setreuid to try and change the real uid to the 
uid of the user which needed authenticating.  This has two problems:

1.  setreuid() isn't fully supported in FreeBSD-2.0, specifically, 
mount_nfs's use of it was not supported.

2.  Mount_nfs has no way of determining the correct ticket file to use
since it cannot examine the KRBTKFILE environment variable of the process
which initiated the authentication request. 

I 'solved' it by leaving the uids alone and constructing the name of the 
ticket file in the same way as src/usr.bin/login/klogin.c.  This only 
works for ordinary instances and fails for root instances since they 
generally override the name of the default ticket file with the KRBTKFILE 
variable.

I think that what is really needed is for the process which is
authenticating to register the name of its ticket file and for this name 
to be sent to mount_nfs to use for the authentication.

There also needs to be a minor change to krb_kntoln() to return 'root' as 
the login name for root instances, otherwise nfsd will error when trying 
to recieve the authenticator for clients using a root instance.

--
Doug Rabson, RenderMorphics Ltd.	Mail:  dfr@render.com
					Phone: +44 71 251 4411
					FAX:   +44 71 251 0939