Date: Tue, 1 Dec 2015 08:19:27 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201075117.GE31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov wrote:
> On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote:
>
> > In GSS, the host based principal is <some-string>@<host>.<domain>. This
> > translates to: <some-string>/<host>.<domain>@<KERBEROS-REALM> in the KDC.
>
>
>
> > For example:
> > nfs-client.my.home - DNS name of the client machine
> > MYREALM - Realm for Kerberos KDC
> > - I want to have root work as "root".
> > --> I go to the KDC and create a principal name:
> > root/nfs-client.my.home@MYREALM
> > --> Then I create a keytab entry for this principal and transfer it to
> > /etc/krb5.keytab on the client machine (nfs-client.my.home).
> > --> Then I mount with: -o nfsv4,gssname=root
> > and non-root users will have to kinit to access the server as
> > themselves.
>
> Is there a difference between gssname=host
> (host/nfs-client.my.home@MYREALM and already exist) and gssname=root
> (and create and expoprt additional root/nfs-client.my.home@MYREALM)?
Oops, I was wrong. It shouldn't matter what the name before "@" is in the
client's keytab entry.
On old code I did for this (OpenBSD way back when), I had an option on the
gssd that would look up the name in the passwd database and create credentials
for that user.
>From "man gssd" and a look at the code, that was never done for FreeBSD.
Sorry for misleading you, rick
ps: If I had done it and you used the option, then "root@..." would have become
"root" on the server, etc.
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1739189176.113176689.1448975967722.JavaMail.zimbra>