From owner-freebsd-hackers  Mon Jan 30 10:38:12 1995
Return-Path: hackers-owner
Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id KAA06620 for hackers-outgoing; Mon, 30 Jan 1995 10:38:12 -0800
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.cdrom.com (8.6.9/8.6.6) with SMTP id KAA06610 for <hackers@FreeBSD.org>; Mon, 30 Jan 1995 10:38:05 -0800
Received: by halloran-eldar.lcs.mit.edu; id AA16079; Mon, 30 Jan 1995 13:36:24 -0500
Date: Mon, 30 Jan 1995 13:36:24 -0500
From: Garrett Wollman <wollman@halloran-eldar.lcs.mit.edu>
Message-Id: <9501301836.AA16079@halloran-eldar.lcs.mit.edu>
To: Doug Rabson <dfr@render.com>
Cc: hackers@FreeBSD.org
Subject: NFS with kerberos authentication
In-Reply-To: <Pine.BSF.3.91.950130161202.27708D-100000@minnow.render.com>
References: <Pine.BSF.3.91.950130161202.27708D-100000@minnow.render.com>
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

<<On Mon, 30 Jan 1995 16:27:29 +0000 (GMT), Doug Rabson <dfr@render.com> said:

> 2.  Mount_nfs has no way of determining the correct ticket file to use
> since it cannot examine the KRBTKFILE environment variable of the process
> which initiated the authentication request. 

It's not clear that it /should/ do so...

> I 'solved' it by leaving the uids alone and constructing the name of the 
> ticket file in the same way as src/usr.bin/login/klogin.c.  This only 
> works for ordinary instances and fails for root instances since they 
> generally override the name of the default ticket file with the KRBTKFILE 
> variable.

root instances are not intended to be network superusers.

> I think that what is really needed is for the process which is
> authenticating to register the name of its ticket file and for this name 
> to be sent to mount_nfs to use for the authentication.

At MIT, a user-level daemon is used to directly pass the
authentication from the user program to the server, with no
modification of the NFS client or server code.  (At LCS this program
is called `fsauth'.)

-GAWollman

--
Garrett A. Wollman   | Shashish is simple, it's discreet, it's brief. ... 
wollman@lcs.mit.edu  | Shashish is the bonding of hearts in spite of distance.
Opinions not those of| It is a bond more powerful than absence.  We like people
MIT, LCS, ANA, or NSA| who like Shashish.  - Claude McKenzie + Florent Vollant