From owner-freebsd-hackers@freebsd.org Tue Dec 1 07:44:30 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A19BEA3D192 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 866A51CC9 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 85D0BA3D191; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 856E5A3D190 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3DB601CC8 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3fbt-000NgQ-O6; Tue, 01 Dec 2015 10:44:25 +0300 Date: Tue, 1 Dec 2015 10:44:25 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201074425.GD31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 07:44:30 -0000 On Mon, Nov 30, 2015 at 06:08:16PM -0500, Rick Macklem wrote: > Slawa Olhovchenkov wrote: > > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > > > But this is wrong: not only exported, access control too. > > > > May be for NFS guru this is trivia, but for ordinary users this is > > > > confused. > > > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > > many posts and wiki pages about lack some functionality, but also see > > > > > > many works from you. > > > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > > implementation > > > > > is version 1) is that it expects to use DES, which requires "weak > > > > > authentication" > > > > > to be enabled. Although parts about adding patches for initiator > > > > > credentials no longer > > > > > applies, this is still fairly useful. > > > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > > enabled, with mounted as > > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > > commands don't working or something else?) > > > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > > (which includes file opens) breaks if an RPC gets interrupted. > > > That is on one of the man pages, maybe "man nfsv4". > > > > > > Usually you can't create the keytab entries unless you enable weak > > > authentication, > > > but if you've gotten it working, be happy;-) > > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > > excryption types with larger keys than 8 bytes, from what I know. I > > > always used des-cbc-crc, because that is what all clients/servers are > > > supposed to support. Once you move away from that, you are experimenting > > > and it works or not.) > > > > mount is working, but all access (from any accounts) go from mounting > > credentials (if I mount allgssname,gssname=host -- as root and mapped > > to nobody, if I mount as user -- all access as user, root also as > > user). What I am missing or missunderstund? > > > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. > It depends on what you called the host-based principal in your /etc/krb5.keytab. > If you use "root@.", then system operations are done as > "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" > ends up as "nobody". > > The most common variant of the mount (which requires a host-based credential in > /etc/krb5.keytab on the client) is done with gssname=host (but not "allgssname"). Yes, my mount use "allgssname", I am think "gssname=host" require "allgssname" too. > (Note that "host" here implies that the principal for the host-based credential is > "host@.". --> What is after the "=" above is what is before the > "@" in the host based principal name.) > Then system operations are done as nobody, but users are done as that user (they need This is strange. I am mount (by automount) as: /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ in rc.conf: gssd_enable="YES" gssd_flags="-h" In this case, I am can't login to user with $HOME on this NFS -- root (sshd run as root and PAM accounting run as root -- check .k5login and etc) totaly don't have access (10016). I am avoid this by "kinit -k host/`hostname`" in crontab and startup script, but may be gssd is best for this functionality? > to "kinit"). The "allgssname" is an odd case for some server no one logs into, which > says "do everything as the host based credential. I am confused by "allgssname", I am don't think that is like -mapall= in exports, I am think this is only for mount and for case absent user principal. > --> If you need "root" access, you must put a "root" principal name in your KDC and > then create the host-based credential for /etc/krb5.keytab using the principal > name "root@.". > > Yes, it is confusing, but that's Kerberos for you;-) rick