Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Nov 2015 08:18:20 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        Rick Macklem <rmacklem@uoguelph.ca>
Cc:        hackers@freebsd.org
Subject:   Re: NFSv4 details and documentations
Message-ID:  <20151117051820.GD31314@zxy.spb.ru>
In-Reply-To: <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca>
References:  <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151115152635.GB5854@kib.kiev.ua> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote:

> Slawa Olhovchenkov wrote:
> > On Mon, Nov 16, 2015 at 10:40:59AM -0500, Rick Macklem wrote:
> > 
> > > Slawa Olhovchenkov wrote:
> > > > On Mon, Nov 16, 2015 at 09:00:09AM -0500, Rick Macklem wrote:
> > > > 
> > > > > There is a vfs operation called VFS_SYSCTL(). This isn't implemented on
> > > > > the current NFS client. It was implemented on the old one, but only for
> > > > > NFS locking events and I didn't understand what needed to be done, so I
> > > > > didn't do it.
> > > > 
> > > > Rick, I am try to play with NFSv4 and Kerberos and see lack of
> > > > documentation. For example, nowhere documented that access to NFSv4
> > > > mount do by NFSv3 rules. I.e. I need have /etc/exports with TWO lines:
> > > > 
> > > > V4: /NFS    -sec=krb5i
> > > > /NFS    -sec=krb5i
> > > > 
> > > > W/o second lines I got 10020 error (for NFSv4 mount).
> > > > 
> > > Well, "man exports" does try and say this (and I've reworded it several
> > > times),
> > > but it is confusing. In simple terms, the "V4:" line does not export any
> > > file system
> > > and needs to be added to whatever you export via other lines.
> > 
> > As I read this: adding '/NFS 127.0.0.1' is enough and secured.
> This would export the mount to the local machine only (127.0.0.1 is localhost).
> That is true of NFSv3 as well. If you get the exports working for NFSv3 (which
> can be used with Kerberos, you don't need NFSv4 ot use Kerberos), then you just
> add the "V4: .." line to define where in the server's file system that the NFSv4
> root is.

I am like only one string 'V4: /NFS    -sec=krb5i' and don't need
NFSv3 at all. But I see this is imposible and documentation don't
clearly describe this. Im try point this to documentation weaknes:
NF3v3 permissions checks for NFSv4 mounts.

> > But this is wrong: not only exported, access control too.
> > May be for NFS guru this is trivia, but for ordinary users this is confused.
> > 
> > > > What current status Kerberos support in NFS client/server? I found
> > > > many posts and wiki pages about lack some functionality, but also see
> > > > many works from you.
> > > > 
> > > The main limitation (which comes from the fact that the RPCSEC_GSS
> > > implementation
> > > is version 1) is that it expects to use DES, which requires "weak
> > > authentication"
> > > to be enabled. Although parts about adding patches for initiator
> > > credentials no longer
> > > applies, this is still fairly useful.
> > 
> > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be
> > enabled, with mounted as
> > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred
> > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some
> > commands don't working or something else?)
> > 
> Well, if the mount is working, you aren't broken. I do recommend against
> using "soft" or "intr" on NFSv4 mounts, because the locking stuff

W/o this I can got blocked client site, that can be recovered only by reboot.
This is lack of unix architecture -- uniterrable open/close/disk IO.

> (which includes file opens) breaks if an RPC gets interrupted.
> That is on one of the man pages, maybe "man nfsv4".
> 
> Usually you can't create the keytab entries unless you enable weak authentication,
> but if you've gotten it working, be happy;-)
> (DES is used for krb5p and none of the Kerberized NFS stuff works for
>  excryption types with larger keys than 8 bytes, from what I know. I
>  always used des-cbc-crc, because that is what all clients/servers are
>  supposed to support. Once you move away from that, you are experimenting
>  and it works or not.)

This is worked, mount seccess and I can access NFS share from my user account.
May be later I can see some problems?

> Have fun with it, rick
> 
> > > https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
> > 
> > Yes, I am talk about this.
> > 
> > > Anyone willing to improve/update this is more than welcome to do so. (I,
> > > personally,
> > > haven't set up a Kerberized NFS for a couple of years and I hate fiddling
> > > with it.
> > > When something isn't working, isolating the problem can be very difficult.)
> > 
> > Yes, I am already see it.
> > 
> > > Good luck with it, rick
> > > ps: I put it on google as a wiki so anyone could update it, but I don't
> > > think
> > >     anyone ever has. As I recall, anyone with a google login can update it.
> > > 
> > > > Can you give some examples for kerberoized setup, with support cron
> > > > jobs?
> > > > _______________________________________________
> > > > freebsd-hackers@freebsd.org mailing list
> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > > > To unsubscribe, send any mail to
> > > > "freebsd-hackers-unsubscribe@freebsd.org"
> > > > 
> > _______________________________________________
> > freebsd-hackers@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
> > 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151117051820.GD31314>