Date: Sun, 13 Apr 2014 21:27:33 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Cedric Blancher <cedric.blancher@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) Message-ID: <346915844.10522576.1397438853323.JavaMail.root@uoguelph.ca> In-Reply-To: <CALXu0Uc5eDSuv=KXk27-OC6ZwJ8mhjPBG=VW_4A8r0NGYpaGdw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Cedric Blancher wrote: > On 13 April 2014 01:28, Rick Macklem <rmacklem@uoguelph.ca> wrote: > > Cedric Blancher wrote: > >> How hard is it to do this with FreeBSD's NFSv4 implementation? > >> > > Well, amd doesn't know how to do nmount(2) { it still uses the old > > mount(2) syscall } and, as such, can't do an NFSv4 mount. > > - You can`t automount NFSv4. > > > > FreeBSD`s NFSv4 client can do a mount with a user`s credential > > (no system credential in the default keytab file) >=20 > Which system credential? nfs/, host/ or root/? >=20 Whatever name you wish. The "gssname=3D<name>" mount option specifies it. (ie. <name> can be root or nfs or host or whatever else you choose to use. Most servers map them to "nobody", although I think a Solaris server will map "root" to "root" on the server.) > > if non-root > > mounts are enabled, but the mount command must be done manually > > by the user after logging in. >=20 > No automounter? >=20 FreeBSD's automounter is "amd" and it cannot do NFSv4 mounts, because it still uses the old mount(2) syscall and not the newer nmount(2) syscall. (I once took a look and converting it appeared non-trivial, although it would be nice if someone did the conversion someday;-) rick > Ced >=20 > > > > rick > > > >> Ced > >> > >> ---------- Forwarded message ---------- > >> From: Wang Shouhua <shouhuaw@gmail.com> > >> Date: Sat, Apr 12, 2014 at 11:24 AM > >> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net > >> automounter with kinit only (no /etc/krb5.conf access) > >> To: Kerberos@mit.edu > >> > >> > >> Lets recap: > >> > >> 1. Requirements: > >> - Linux or Solaris > >> - NFS automounter set up at /net > >> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running > >> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in > >> the > >> realm MOST.GOV.CN, with a subdir of test3 > >> > >> 2. Goal: > >> A user provides his password to obtain a ticket for > >> user2@MOST.GOV.CN > >> (optionally nfs@MOST.GOV.CN, if this is a requirement to do a > >> mount), > >> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and > >> do > >> a > >> successful ls -al there > >> > >> Is that possible? > >> > >> Wang > >> > >> ---------- Forwarded message ---------- > >> From: Will Fiveash <will.fiveash@oracle.com> > >> Date: 11 April 2014 22:14 > >> Subject: Re: Accessing Kerberos NFS via /net automounter with > >> kinit > >> only (no /etc/krb5.conf access) > >> To: Wang Shouhua <shouhuaw@gmail.com> > >> Cc: Kerberos@mit.edu > >> > >> > >> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: > >> > I am on Solaris 10U4 - can I access a NFS filesystem with > >> > (mandatory) > >> > krb5p authentication via the Solaris /net automounter with kinit > >> > only, > >> > without having r/w access to /etc/krb5.conf access)? > >> > >> You'll need to have Solaris krb configured which stores its config > >> in > >> /etc/krb5 not /etc as is the MIT default. You'll also need read > >> access > >> to /etc/krb5/krb5.conf and have the system properly configured to > >> do > >> NFS > >> with krb in general (read the Solaris 10 online docs). > >> > >> Beyond that, whether a user kinit'ing is enough depends on which > >> version > >> of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares > >> will > >> automount if the user triggering the mount has a krb cred in their > >> ccache (klist will show that) and does not require any keys in the > >> system keytab nor does it require root to have a krb cred in > >> general. > >> > >> NFSv4 on the other hand does require that the root on the NFS > >> client > >> system have a krb cred in its ccache. This can be done either by > >> running kinit as root or having at least one set of keys for > >> either > >> the > >> root/<host> or host/<host> service princ in the system keytab > >> which > >> will > >> be automatically used to acquire a krb cred for root. > >> > >> On the client system "nfsstat -m" will show what version of NFS is > >> being > >> used. > >> > >> -- > >> Will Fiveash > >> Oracle Solaris Software Engineer > >> > >> > >> -- > >> Wang Shouhua - shouhuaw@gmail.com > >> =E4=B8=AD=E5=8D=8E=E4=BA=BA=E6=B0=91=E5=85=B1=E5=92=8C=E5=9B=BD=E7=A7= =91=E5=AD=A6=E6=8A=80=E6=9C=AF=E9=83=A8 - HTTP://WWW.MOST.GOV.CN > >> > >> > >> ________________________________________________ > >> Kerberos mailing list Kerberos@mit.edu > >> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > >> > >> -- > >> Cedric Blancher <cedric.blancher@gmail.com> > >> Institute Pasteur > >> _______________________________________________ > >> freebsd-hackers@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > >> To unsubscribe, send any mail to > >> "freebsd-hackers-unsubscribe@freebsd.org" >=20 >=20 >=20 > -- > Cedric Blancher <cedric.blancher@gmail.com> > Institute Pasteur >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?346915844.10522576.1397438853323.JavaMail.root>