From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 12 23:28:56 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3EDF8E35 for ; Sat, 12 Apr 2014 23:28:56 +0000 (UTC) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 021B01A1A for ; Sat, 12 Apr 2014 23:28:55 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqYEAOXKSVODaFve/2dsb2JhbABZg0FXgxC4ZIZkUYEvdIIlAQEBAwEBAQEgKyALBRQCEQMBAgECAg0HCwcCIwYBCR4IBggHBAEcBIdHAwkIDYwunBmbNA2GYxeBKYssgS0bAQEKEQEzBwYSgleBSQSWCWqDJIs+hU+BcoFbITGBBDk X-IronPort-AV: E=Sophos;i="4.97,849,1389762000"; d="scan'208";a="113958960" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-annu.net.uoguelph.ca with ESMTP; 12 Apr 2014 19:28:48 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 04349B40B1; Sat, 12 Apr 2014 19:28:49 -0400 (EDT) Date: Sat, 12 Apr 2014 19:28:49 -0400 (EDT) From: Rick Macklem To: Cedric Blancher Message-ID: <703720810.10243218.1397345329008.JavaMail.root@uoguelph.ca> In-Reply-To: Subject: Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 7.2.1_GA_2790 (ZimbraWebClient - FF3.0 (Win)/7.2.1_GA_2790) Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 23:28:56 -0000 Cedric Blancher wrote: > How hard is it to do this with FreeBSD's NFSv4 implementation? >=20 Well, amd doesn't know how to do nmount(2) { it still uses the old mount(2) syscall } and, as such, can't do an NFSv4 mount. - You can`t automount NFSv4. FreeBSD`s NFSv4 client can do a mount with a user`s credential (no system credential in the default keytab file) if non-root mounts are enabled, but the mount command must be done manually by the user after logging in. rick > Ced >=20 > ---------- Forwarded message ---------- > From: Wang Shouhua > Date: Sat, Apr 12, 2014 at 11:24 AM > Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net > automounter with kinit only (no /etc/krb5.conf access) > To: Kerberos@mit.edu >=20 >=20 > Lets recap: >=20 > 1. Requirements: > - Linux or Solaris > - NFS automounter set up at /net > - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running > - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the > realm MOST.GOV.CN, with a subdir of test3 >=20 > 2. Goal: > A user provides his password to obtain a ticket for user2@MOST.GOV.CN > (optionally nfs@MOST.GOV.CN, if this is a requirement to do a mount), > and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do > a > successful ls -al there >=20 > Is that possible? >=20 > Wang >=20 > ---------- Forwarded message ---------- > From: Will Fiveash > Date: 11 April 2014 22:14 > Subject: Re: Accessing Kerberos NFS via /net automounter with kinit > only (no /etc/krb5.conf access) > To: Wang Shouhua > Cc: Kerberos@mit.edu >=20 >=20 > On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: > > I am on Solaris 10U4 - can I access a NFS filesystem with > > (mandatory) > > krb5p authentication via the Solaris /net automounter with kinit > > only, > > without having r/w access to /etc/krb5.conf access)? >=20 > You'll need to have Solaris krb configured which stores its config in > /etc/krb5 not /etc as is the MIT default. You'll also need read > access > to /etc/krb5/krb5.conf and have the system properly configured to do > NFS > with krb in general (read the Solaris 10 online docs). >=20 > Beyond that, whether a user kinit'ing is enough depends on which > version > of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares will > automount if the user triggering the mount has a krb cred in their > ccache (klist will show that) and does not require any keys in the > system keytab nor does it require root to have a krb cred in general. >=20 > NFSv4 on the other hand does require that the root on the NFS client > system have a krb cred in its ccache. This can be done either by > running kinit as root or having at least one set of keys for either > the > root/ or host/ service princ in the system keytab which > will > be automatically used to acquire a krb cred for root. >=20 > On the client system "nfsstat -m" will show what version of NFS is > being > used. >=20 > -- > Will Fiveash > Oracle Solaris Software Engineer >=20 >=20 > -- > Wang Shouhua - shouhuaw@gmail.com > =E4=B8=AD=E5=8D=8E=E4=BA=BA=E6=B0=91=E5=85=B1=E5=92=8C=E5=9B=BD=E7=A7=91= =E5=AD=A6=E6=8A=80=E6=9C=AF=E9=83=A8 - HTTP://WWW.MOST.GOV.CN >=20 >=20 > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >=20 >=20 > -- > Cedric Blancher > Institute Pasteur > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org"