From owner-freebsd-hackers@freebsd.org Mon Nov 30 23:16:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79226A3C02C for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4D3661318 for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 4C15EA3C02B; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 333D2A3C02A for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id DCC2D1317 for ; Mon, 30 Nov 2015 23:16:19 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:sbkXoRKf6qF8ZQTkhtmcpTZWNBhigK39O0sv0rFitYgUL/jxwZ3uMQTl6Ol3ixeRBMOAu68C27ud6viocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBybrysXNWC0oLnhqvro9X6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVaqHzYK1warhYCyotM20z58r1/U3YSRSn9GsNFH4OmFxSHl6Wwgv9W8LLsyD5/s900yqeMMi+GaoxUD+h66puYALvhzoKMyY5tmre3J8jxJlHqQ6s8kQsi7XfZ5uYYaJz X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQB+2FxW/61jaINYBQGEDm8GvioBDYFmFwqFJEoCgXAUAQEBAQEBAQGBCYItggcBAQEDAQEBASAEJyALBQcEAgEIDgoCAg0IAg8CAicBCSYCBAgCBQQBHASIBQgNqxmQeQEBAQEBAQEDAQEBAQEBAQEBFgSBAYVThH6EOwEBBQgXVwGCPIFEBY0idog/hSqFIoRHlxSDcAIfAQFCgg4ggXQgNAeEKTqBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,366,1444708800"; d="scan'208";a="254993983" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 30 Nov 2015 18:15:49 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B043315F56D; Mon, 30 Nov 2015 18:15:49 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 9tL6zyl3D0wM; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id CC97B15F56E; Mon, 30 Nov 2015 18:15:48 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fSjVB_n49ZYh; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B11CF15F56D; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Date: Mon, 30 Nov 2015 18:15:48 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.12] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: 2ngg8IZO4VTo+6TW+XnQmV20rniKVW4HpmIO X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:16:20 -0000 Oops, I wrote the principal names in GSS form and not the Kerberos ones. See a correction below. ----- Original Message ----- > Slawa Olhovchenkov wrote: > > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > > > But this is wrong: not only exported, access control too. > > > > May be for NFS guru this is trivia, but for ordinary users this is > > > > confused. > > > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > > many posts and wiki pages about lack some functionality, but also > > > > > > see > > > > > > many works from you. > > > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > > implementation > > > > > is version 1) is that it expects to use DES, which requires "weak > > > > > authentication" > > > > > to be enabled. Although parts about adding patches for initiator > > > > > credentials no longer > > > > > applies, this is still fairly useful. > > > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > > enabled, with mounted as > > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > > commands don't working or something else?) > > > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > > (which includes file opens) breaks if an RPC gets interrupted. > > > That is on one of the man pages, maybe "man nfsv4". > > > > > > Usually you can't create the keytab entries unless you enable weak > > > authentication, > > > but if you've gotten it working, be happy;-) > > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > > excryption types with larger keys than 8 bytes, from what I know. I > > > always used des-cbc-crc, because that is what all clients/servers are > > > supposed to support. Once you move away from that, you are experimenting > > > and it works or not.) > > > > mount is working, but all access (from any accounts) go from mounting > > credentials (if I mount allgssname,gssname=host -- as root and mapped > > to nobody, if I mount as user -- all access as user, root also as > > user). What I am missing or missunderstund? > > > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. > It depends on what you called the host-based principal in your > /etc/krb5.keytab. > If you use "root@.", then system operations are done as > "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" > ends up as "nobody". > > The most common variant of the mount (which requires a host-based credential > in > /etc/krb5.keytab on the client) is done with gssname=host (but not > "allgssname"). > (Note that "host" here implies that the principal for the host-based > credential is > "host@.". --> What is after the "=" above is what is > before the > "@" in the host based principal name.) > Then system operations are done as nobody, but users are done as that user > (they need > to "kinit"). The "allgssname" is an odd case for some server no one logs > into, which > says "do everything as the host based credential. > --> If you need "root" access, you must put a "root" principal name in your > KDC and > then create the host-based credential for /etc/krb5.keytab using the > principal > name "root@.". > In GSS, the host based principal is @.. This translates to: /.@ in the KDC. For example: nfs-client.my.home - DNS name of the client machine MYREALM - Realm for Kerberos KDC - I want to have root work as "root". --> I go to the KDC and create a principal name: root/nfs-client.my.home@MYREALM --> Then I create a keytab entry for this principal and transfer it to /etc/krb5.keytab on the client machine (nfs-client.my.home). --> Then I mount with: -o nfsv4,gssname=root and non-root users will have to kinit to access the server as themselves. rick > Yes, it is confusing, but that's Kerberos for you;-) rick > > > > > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >