From owner-freebsd-hackers@FreeBSD.ORG Sun Apr 13 14:06:06 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFD80BF for ; Sun, 13 Apr 2014 14:06:06 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BDC6611FA for ; Sun, 13 Apr 2014 14:06:06 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id rp18so6983764iec.5 for ; Sun, 13 Apr 2014 07:06:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jqOEk1vNAyZV1xKc8Y2mS44n+kWm8keY9BFkwJDyTmg=; b=lt5zgPxyGntzz+fOyCrVGWFoKcr9g4fnBNUSjKsNY+u1+EcdcrTa1K70ko5hCVOzYM 2iXf7KYprPWNAOpTeUz4hNzFnXc17r2cVvo0GA7VVrNa+4qoeCUmmhZkYsxDW7TjKBgj 1QjXoAScT5kqhqN64Pv1K8HStFTgAZGfY+lFLOr3WVQ7ki4Nk7oGe7BIENRazewlUVO9 AMnKAzWC1ERw4kLMcjQdqAYuLv/ut4ioYqkjRhdRWsiDnrR+lpMeTmlO1Ixx3E49i4mf pp2lIAIiVtcn761rVadOym1JBXUlvUg9LS0ks8QzVSBcSpB+y7LNqLpspXsPvReyVf1K evRw== MIME-Version: 1.0 X-Received: by 10.50.22.37 with SMTP id a5mr9943217igf.30.1397397966186; Sun, 13 Apr 2014 07:06:06 -0700 (PDT) Received: by 10.50.226.170 with HTTP; Sun, 13 Apr 2014 07:06:06 -0700 (PDT) In-Reply-To: <703720810.10243218.1397345329008.JavaMail.root@uoguelph.ca> References: <703720810.10243218.1397345329008.JavaMail.root@uoguelph.ca> Date: Sun, 13 Apr 2014 16:06:06 +0200 Message-ID: Subject: Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) From: Cedric Blancher To: Rick Macklem Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 14:06:07 -0000 On 13 April 2014 01:28, Rick Macklem wrote: > Cedric Blancher wrote: >> How hard is it to do this with FreeBSD's NFSv4 implementation? >> > Well, amd doesn't know how to do nmount(2) { it still uses the old > mount(2) syscall } and, as such, can't do an NFSv4 mount. > - You can`t automount NFSv4. > > FreeBSD`s NFSv4 client can do a mount with a user`s credential > (no system credential in the default keytab file) Which system credential? nfs/, host/ or root/? > if non-root > mounts are enabled, but the mount command must be done manually > by the user after logging in. No automounter? Ced > > rick > >> Ced >> >> ---------- Forwarded message ---------- >> From: Wang Shouhua >> Date: Sat, Apr 12, 2014 at 11:24 AM >> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net >> automounter with kinit only (no /etc/krb5.conf access) >> To: Kerberos@mit.edu >> >> >> Lets recap: >> >> 1. Requirements: >> - Linux or Solaris >> - NFS automounter set up at /net >> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running >> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the >> realm MOST.GOV.CN, with a subdir of test3 >> >> 2. Goal: >> A user provides his password to obtain a ticket for user2@MOST.GOV.CN >> (optionally nfs@MOST.GOV.CN, if this is a requirement to do a mount), >> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do >> a >> successful ls -al there >> >> Is that possible? >> >> Wang >> >> ---------- Forwarded message ---------- >> From: Will Fiveash >> Date: 11 April 2014 22:14 >> Subject: Re: Accessing Kerberos NFS via /net automounter with kinit >> only (no /etc/krb5.conf access) >> To: Wang Shouhua >> Cc: Kerberos@mit.edu >> >> >> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: >> > I am on Solaris 10U4 - can I access a NFS filesystem with >> > (mandatory) >> > krb5p authentication via the Solaris /net automounter with kinit >> > only, >> > without having r/w access to /etc/krb5.conf access)? >> >> You'll need to have Solaris krb configured which stores its config in >> /etc/krb5 not /etc as is the MIT default. You'll also need read >> access >> to /etc/krb5/krb5.conf and have the system properly configured to do >> NFS >> with krb in general (read the Solaris 10 online docs). >> >> Beyond that, whether a user kinit'ing is enough depends on which >> version >> of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares will >> automount if the user triggering the mount has a krb cred in their >> ccache (klist will show that) and does not require any keys in the >> system keytab nor does it require root to have a krb cred in general. >> >> NFSv4 on the other hand does require that the root on the NFS client >> system have a krb cred in its ccache. This can be done either by >> running kinit as root or having at least one set of keys for either >> the >> root/ or host/ service princ in the system keytab which >> will >> be automatically used to acquire a krb cred for root. >> >> On the client system "nfsstat -m" will show what version of NFS is >> being >> used. >> >> -- >> Will Fiveash >> Oracle Solaris Software Engineer >> >> >> -- >> Wang Shouhua - shouhuaw@gmail.com >> =D6=D0=BB=AA=C8=CB=C3=F1=B9=B2=BA=CD=B9=FA=BF=C6=D1=A7=BC=BC=CA=F5=B2=BF= - HTTP://WWW.MOST.GOV.CN >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> >> -- >> Cedric Blancher >> Institute Pasteur >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to >> "freebsd-hackers-unsubscribe@freebsd.org" --=20 Cedric Blancher Institute Pasteur