From owner-freebsd-hackers@freebsd.org Mon Nov 16 23:00:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E21BA31F25 for ; Mon, 16 Nov 2015 23:00:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 31A0811D7 for ; Mon, 16 Nov 2015 23:00:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 2D83AA31F24; Mon, 16 Nov 2015 23:00:20 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1225BA31F23 for ; Mon, 16 Nov 2015 23:00:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9A7C211D6 for ; Mon, 16 Nov 2015 23:00:19 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:0mrMfB8tf7HpZ/9uRHKM819IXTAuvvDOBiVQ1KB80uMcTK2v8tzYMVDF4r011RmSDdidtqIP0rCempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIsYL+lR8iP34/ujaibwN76XUZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu5blitCLFOXmAvgtI/rpMYwu3cYhvQ66sQVUbnmZ79qCvtcDS86KCY7/sDmvwLPCwyV6TwZW2QSlxNORAzE9w37WJn29SXgu+d3wyXfPcT9Tr0uQmee6PJQTBb3gW8gMz4+7mrXh8pzi7wT9AmluDRt05+Se5mfcuBjKPDzZ9QfEFBAVcUZciVKAYexasNbFe8INuVcoozVulwBsBa6HQnqD+q5mWwAvWP/waBvi7dpKgrBxgF1R98= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DQAQBTX0pW/61jaINdhA5vBr5bAQ2BCARZFwqFJUoCgX8UAQEBAQEBAQGBCYItggcBAQEDAQEBASArIAsFCwIBCA4KAgINBQETAgInAQkmAgQIBwQBHASIBQgNA6pDkEQBAQEBAQEBAwEBAQEBAQEYBIEBhVOEfoQ7AQEFYQGCUYFEBY4RiDeFHYUgJIQhh2WKMYhSAh8BAUKCDiCBdCA0B4M7BxcjgQcBAQE X-IronPort-AV: E=Sophos;i="5.20,304,1444708800"; d="scan'208";a="250754207" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 16 Nov 2015 18:00:17 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 3A3B415F565; Mon, 16 Nov 2015 18:00:17 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id tlmVue1rx2lp; Mon, 16 Nov 2015 18:00:16 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 7FCB615F56D; Mon, 16 Nov 2015 18:00:16 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jANM795qXjtY; Mon, 16 Nov 2015 18:00:16 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 6433C15F565; Mon, 16 Nov 2015 18:00:16 -0500 (EST) Date: Mon, 16 Nov 2015 18:00:16 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151116155710.GB31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151115152635.GB5854@kib.kiev.ua> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.10] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: rf0AjEdX2Am4mq6e8kNX6+GVmwAOcg== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2015 23:00:20 -0000 Slawa Olhovchenkov wrote: > On Mon, Nov 16, 2015 at 10:40:59AM -0500, Rick Macklem wrote: > > > Slawa Olhovchenkov wrote: > > > On Mon, Nov 16, 2015 at 09:00:09AM -0500, Rick Macklem wrote: > > > > > > > There is a vfs operation called VFS_SYSCTL(). This isn't implemented on > > > > the current NFS client. It was implemented on the old one, but only for > > > > NFS locking events and I didn't understand what needed to be done, so I > > > > didn't do it. > > > > > > Rick, I am try to play with NFSv4 and Kerberos and see lack of > > > documentation. For example, nowhere documented that access to NFSv4 > > > mount do by NFSv3 rules. I.e. I need have /etc/exports with TWO lines: > > > > > > V4: /NFS -sec=krb5i > > > /NFS -sec=krb5i > > > > > > W/o second lines I got 10020 error (for NFSv4 mount). > > > > > Well, "man exports" does try and say this (and I've reworded it several > > times), > > but it is confusing. In simple terms, the "V4:" line does not export any > > file system > > and needs to be added to whatever you export via other lines. > > As I read this: adding '/NFS 127.0.0.1' is enough and secured. This would export the mount to the local machine only (127.0.0.1 is localhost). That is true of NFSv3 as well. If you get the exports working for NFSv3 (which can be used with Kerberos, you don't need NFSv4 ot use Kerberos), then you just add the "V4: .." line to define where in the server's file system that the NFSv4 root is. > But this is wrong: not only exported, access control too. > May be for NFS guru this is trivia, but for ordinary users this is confused. > > > > What current status Kerberos support in NFS client/server? I found > > > many posts and wiki pages about lack some functionality, but also see > > > many works from you. > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > implementation > > is version 1) is that it expects to use DES, which requires "weak > > authentication" > > to be enabled. Although parts about adding patches for initiator > > credentials no longer > > applies, this is still fairly useful. > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > enabled, with mounted as > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > commands don't working or something else?) > Well, if the mount is working, you aren't broken. I do recommend against using "soft" or "intr" on NFSv4 mounts, because the locking stuff (which includes file opens) breaks if an RPC gets interrupted. That is on one of the man pages, maybe "man nfsv4". Usually you can't create the keytab entries unless you enable weak authentication, but if you've gotten it working, be happy;-) (DES is used for krb5p and none of the Kerberized NFS stuff works for excryption types with larger keys than 8 bytes, from what I know. I always used des-cbc-crc, because that is what all clients/servers are supposed to support. Once you move away from that, you are experimenting and it works or not.) Have fun with it, rick > > https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > Yes, I am talk about this. > > > Anyone willing to improve/update this is more than welcome to do so. (I, > > personally, > > haven't set up a Kerberized NFS for a couple of years and I hate fiddling > > with it. > > When something isn't working, isolating the problem can be very difficult.) > > Yes, I am already see it. > > > Good luck with it, rick > > ps: I put it on google as a wiki so anyone could update it, but I don't > > think > > anyone ever has. As I recall, anyone with a google login can update it. > > > > > Can you give some examples for kerberoized setup, with support cron > > > jobs? > > > _______________________________________________ > > > freebsd-hackers@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > > To unsubscribe, send any mail to > > > "freebsd-hackers-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >