From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 12 10:32:04 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7652E617 for ; Sat, 12 Apr 2014 10:32:04 +0000 (UTC) Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CFD173C for ; Sat, 12 Apr 2014 10:32:04 +0000 (UTC) Received: by mail-ig0-f178.google.com with SMTP id hn18so1758521igb.11 for ; Sat, 12 Apr 2014 03:32:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=fdUsWszdEaEN8a6Sq+umqAV/ilw3qtVbExihh/MV92Q=; b=bWFeptydE8T0E8btOMTpO3DKqwrwUUZ49ofc0smycjz2F3WDLpo/mAW5ZeFKJISqgI lUBT64mCsr3i48hrWc6GzdXqIeyGUPLmQh4E9kypCo91SfekfrUuVOFUR856vBD0IHnY mrxnNnFK/udP9lJrREEE83cDItxKKNI2gLZ74VAa5o4x6K1xZPVNWhS3JRgSHgInp3Zr b+kMMof9oDAPT9ntneehqbRZQzdxEFv/9nRGLTfnJ7uscTdOs0UM07jk8+g+cHFcMOUU aZnK0jpOWNUH3f2uxiUzfAIozU1NBy3uBhyQRSC4TpZVK1lQcnmokAYVUXPWRV+4C/CI m8oQ== MIME-Version: 1.0 X-Received: by 10.50.119.132 with SMTP id ku4mr2705460igb.35.1397298723719; Sat, 12 Apr 2014 03:32:03 -0700 (PDT) Received: by 10.50.226.170 with HTTP; Sat, 12 Apr 2014 03:32:03 -0700 (PDT) Date: Sat, 12 Apr 2014 12:32:03 +0200 Message-ID: Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) From: Cedric Blancher To: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 10:32:04 -0000 How hard is it to do this with FreeBSD's NFSv4 implementation? Ced ---------- Forwarded message ---------- From: Wang Shouhua Date: Sat, Apr 12, 2014 at 11:24 AM Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) To: Kerberos@mit.edu Lets recap: 1. Requirements: - Linux or Solaris - NFS automounter set up at /net - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the realm MOST.GOV.CN, with a subdir of test3 2. Goal: A user provides his password to obtain a ticket for user2@MOST.GOV.CN (optionally nfs@MOST.GOV.CN, if this is a requirement to do a mount), and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do a successful ls -al there Is that possible? Wang ---------- Forwarded message ---------- From: Will Fiveash Date: 11 April 2014 22:14 Subject: Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access) To: Wang Shouhua Cc: Kerberos@mit.edu On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: > I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory) > krb5p authentication via the Solaris /net automounter with kinit only, > without having r/w access to /etc/krb5.conf access)? You'll need to have Solaris krb configured which stores its config in /etc/krb5 not /etc as is the MIT default. You'll also need read access to /etc/krb5/krb5.conf and have the system properly configured to do NFS with krb in general (read the Solaris 10 online docs). Beyond that, whether a user kinit'ing is enough depends on which version of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares will automount if the user triggering the mount has a krb cred in their ccache (klist will show that) and does not require any keys in the system keytab nor does it require root to have a krb cred in general. NFSv4 on the other hand does require that the root on the NFS client system have a krb cred in its ccache. This can be done either by running kinit as root or having at least one set of keys for either the root/ or host/ service princ in the system keytab which will be automatically used to acquire a krb cred for root. On the client system "nfsstat -m" will show what version of NFS is being used. -- Will Fiveash Oracle Solaris Software Engineer -- Wang Shouhua - shouhuaw@gmail.com =D6=D0=BB=AA=C8=CB=C3=F1=B9=B2=BA=CD=B9=FA=BF=C6=D1=A7=BC=BC=CA=F5=B2=BF - = HTTP://WWW.MOST.GOV.CN ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos --=20 Cedric Blancher Institute Pasteur