From owner-freebsd-hackers@freebsd.org  Tue Dec  1 22:13:01 2015
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42952A3C8C7
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue,  1 Dec 2015 22:13:01 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 1DF8E1BE9
 for <freebsd-hackers@freebsd.org>; Tue,  1 Dec 2015 22:13:01 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 1A1BEA3C8C4; Tue,  1 Dec 2015 22:13:01 +0000 (UTC)
Delivered-To: hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18B4BA3C8C3
 for <hackers@mailman.ysv.freebsd.org>; Tue,  1 Dec 2015 22:13:01 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca
 [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9B1181BE8
 for <hackers@freebsd.org>; Tue,  1 Dec 2015 22:13:00 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
IronPort-PHdr: 9a23:L+/dvxZoRzZ0kr3O2wyP/nD/LSx+4OfEezUN459isYplN5qZpcq/bnLW6fgltlLVR4KTs6sC0LqI9fi4EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35rxj7j60qaQSjsLrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYeVcyDAgD1uSmxHh+pX4p8Y7oGx48sgs/M9YUKj8Y79wDfkBVGxnYCgJ45jBuB/BRA6O4DM/W2kLkVIcAAHJ8RLSW5bt9Cb2q7wu9jOdOJjMTLs3ERGr5KRvRRqg3D0CPjU69GzSotF3g79WpAqh4Rd2ld2HKLqJPeZzK/uONegRQnBMC4MID3RM
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2CmBABcGl5W/61jaINeDoR1vkKBZoYPggsTAQEBAQEBAQGBCYItgggBAQQjVhIBCBgCAg0ZAlsEiEGtF5B0AQEIAQEBAR+BAYVThH6HdYFEBY4YiD+qFwIiAUCDRlwghR6BBwEBAQ
X-IronPort-AV: E=Sophos;i="5.20,370,1444708800"; d="scan'208";a="253698504"
Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca)
 ([131.104.99.173])
 by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 17:12:59 -0500
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 9CA4215F55D;
 Tue,  1 Dec 2015 17:12:59 -0500 (EST)
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id T5G4JxiurfLp; Tue,  1 Dec 2015 17:12:59 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 3BF2615F565;
 Tue,  1 Dec 2015 17:12:59 -0500 (EST)
X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id qSz-Hw_O-yOS; Tue,  1 Dec 2015 17:12:59 -0500 (EST)
Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id E982C15F55D;
 Tue,  1 Dec 2015 17:12:58 -0500 (EST)
Date: Tue, 1 Dec 2015 17:12:58 -0500 (EST)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: hackers@freebsd.org
Message-ID: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca>
Subject: Re: NFSv4 details and documentations
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.17.95.11]
X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191)
Thread-Topic: NFSv4 details and documentations
Thread-Index: /njrSbXaibGSrXDDCpj+w4SssJooOQ==
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 22:13:01 -0000

Benjamin Kaduk wrote:
> On Mon, 30 Nov 2015, Rick Macklem wrote:
>
> > Yes, it is confusing, but that's Kerberos for you;-) rick
>
> Well, just Kerberos by itself is hardly this bad.  The way it has been
> integrated with NFS is all kinds of special and diverges from Kerberos
> best practices in several ways, as if it was designed by someone without
> prior Kerberos experience.
>
> -Ben
I wasn't involved in the Kerberized NFS design (it was done at Sun before
IETF took over NFS stuff). They chose a "user authentication" model and
not a "host authentication" (or per mount if you'd prefer) and I'm not
sure that was the correct choice.

Are you able to explain how sshd is configured to do a kinit for the
user as they ssh into a machine?

rick