Date: Sun, 13 Apr 2014 21:27:33 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Cedric Blancher <cedric.blancher@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) Message-ID: <346915844.10522576.1397438853323.JavaMail.root@uoguelph.ca> In-Reply-To: <CALXu0Uc5eDSuv=KXk27-OC6ZwJ8mhjPBG=VW_4A8r0NGYpaGdw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Cedric Blancher wrote:
> On 13 April 2014 01:28, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> > Cedric Blancher wrote:
> >> How hard is it to do this with FreeBSD's NFSv4 implementation?
> >>
> > Well, amd doesn't know how to do nmount(2) { it still uses the old
> > mount(2) syscall } and, as such, can't do an NFSv4 mount.
> > - You can`t automount NFSv4.
> >
> > FreeBSD`s NFSv4 client can do a mount with a user`s credential
> > (no system credential in the default keytab file)
>=20
> Which system credential? nfs/, host/ or root/?
>=20
Whatever name you wish. The "gssname=3D<name>" mount option specifies it.
(ie. <name> can be root or nfs or host or whatever else you
choose to use. Most servers map them to "nobody", although I think a
Solaris server will map "root" to "root" on the server.)
> > if non-root
> > mounts are enabled, but the mount command must be done manually
> > by the user after logging in.
>=20
> No automounter?
>=20
FreeBSD's automounter is "amd" and it cannot do NFSv4 mounts, because
it still uses the old mount(2) syscall and not the newer nmount(2)
syscall. (I once took a look and converting it appeared non-trivial,
although it would be nice if someone did the conversion someday;-)
rick
> Ced
>=20
> >
> > rick
> >
> >> Ced
> >>
> >> ---------- Forwarded message ----------
> >> From: Wang Shouhua <shouhuaw@gmail.com>
> >> Date: Sat, Apr 12, 2014 at 11:24 AM
> >> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net
> >> automounter with kinit only (no /etc/krb5.conf access)
> >> To: Kerberos@mit.edu
> >>
> >>
> >> Lets recap:
> >>
> >> 1. Requirements:
> >> - Linux or Solaris
> >> - NFS automounter set up at /net
> >> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
> >> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in
> >> the
> >> realm MOST.GOV.CN, with a subdir of test3
> >>
> >> 2. Goal:
> >> A user provides his password to obtain a ticket for
> >> user2@MOST.GOV.CN
> >> (optionally nfs@MOST.GOV.CN, if this is a requirement to do a
> >> mount),
> >> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and
> >> do
> >> a
> >> successful ls -al there
> >>
> >> Is that possible?
> >>
> >> Wang
> >>
> >> ---------- Forwarded message ----------
> >> From: Will Fiveash <will.fiveash@oracle.com>
> >> Date: 11 April 2014 22:14
> >> Subject: Re: Accessing Kerberos NFS via /net automounter with
> >> kinit
> >> only (no /etc/krb5.conf access)
> >> To: Wang Shouhua <shouhuaw@gmail.com>
> >> Cc: Kerberos@mit.edu
> >>
> >>
> >> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
> >> > I am on Solaris 10U4 - can I access a NFS filesystem with
> >> > (mandatory)
> >> > krb5p authentication via the Solaris /net automounter with kinit
> >> > only,
> >> > without having r/w access to /etc/krb5.conf access)?
> >>
> >> You'll need to have Solaris krb configured which stores its config
> >> in
> >> /etc/krb5 not /etc as is the MIT default. You'll also need read
> >> access
> >> to /etc/krb5/krb5.conf and have the system properly configured to
> >> do
> >> NFS
> >> with krb in general (read the Solaris 10 online docs).
> >>
> >> Beyond that, whether a user kinit'ing is enough depends on which
> >> version
> >> of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares
> >> will
> >> automount if the user triggering the mount has a krb cred in their
> >> ccache (klist will show that) and does not require any keys in the
> >> system keytab nor does it require root to have a krb cred in
> >> general.
> >>
> >> NFSv4 on the other hand does require that the root on the NFS
> >> client
> >> system have a krb cred in its ccache. This can be done either by
> >> running kinit as root or having at least one set of keys for
> >> either
> >> the
> >> root/<host> or host/<host> service princ in the system keytab
> >> which
> >> will
> >> be automatically used to acquire a krb cred for root.
> >>
> >> On the client system "nfsstat -m" will show what version of NFS is
> >> being
> >> used.
> >>
> >> --
> >> Will Fiveash
> >> Oracle Solaris Software Engineer
> >>
> >>
> >> --
> >> Wang Shouhua - shouhuaw@gmail.com
> >> =E4=B8=AD=E5=8D=8E=E4=BA=BA=E6=B0=91=E5=85=B1=E5=92=8C=E5=9B=BD=E7=A7=
=91=E5=AD=A6=E6=8A=80=E6=9C=AF=E9=83=A8 - HTTP://WWW.MOST.GOV.CN
> >>
> >>
> >> ________________________________________________
> >> Kerberos mailing list Kerberos@mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >>
> >> --
> >> Cedric Blancher <cedric.blancher@gmail.com>
> >> Institute Pasteur
> >> _______________________________________________
> >> freebsd-hackers@freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> >> To unsubscribe, send any mail to
> >> "freebsd-hackers-unsubscribe@freebsd.org"
>=20
>=20
>=20
> --
> Cedric Blancher <cedric.blancher@gmail.com>
> Institute Pasteur
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?346915844.10522576.1397438853323.JavaMail.root>