Date: Mon, 16 Nov 2015 18:00:16 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151116155710.GB31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151115152635.GB5854@kib.kiev.ua> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov wrote: > On Mon, Nov 16, 2015 at 10:40:59AM -0500, Rick Macklem wrote: > > > Slawa Olhovchenkov wrote: > > > On Mon, Nov 16, 2015 at 09:00:09AM -0500, Rick Macklem wrote: > > > > > > > There is a vfs operation called VFS_SYSCTL(). This isn't implemented on > > > > the current NFS client. It was implemented on the old one, but only for > > > > NFS locking events and I didn't understand what needed to be done, so I > > > > didn't do it. > > > > > > Rick, I am try to play with NFSv4 and Kerberos and see lack of > > > documentation. For example, nowhere documented that access to NFSv4 > > > mount do by NFSv3 rules. I.e. I need have /etc/exports with TWO lines: > > > > > > V4: /NFS -sec=krb5i > > > /NFS -sec=krb5i > > > > > > W/o second lines I got 10020 error (for NFSv4 mount). > > > > > Well, "man exports" does try and say this (and I've reworded it several > > times), > > but it is confusing. In simple terms, the "V4:" line does not export any > > file system > > and needs to be added to whatever you export via other lines. > > As I read this: adding '/NFS 127.0.0.1' is enough and secured. This would export the mount to the local machine only (127.0.0.1 is localhost). That is true of NFSv3 as well. If you get the exports working for NFSv3 (which can be used with Kerberos, you don't need NFSv4 ot use Kerberos), then you just add the "V4: .." line to define where in the server's file system that the NFSv4 root is. > But this is wrong: not only exported, access control too. > May be for NFS guru this is trivia, but for ordinary users this is confused. > > > > What current status Kerberos support in NFS client/server? I found > > > many posts and wiki pages about lack some functionality, but also see > > > many works from you. > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > implementation > > is version 1) is that it expects to use DES, which requires "weak > > authentication" > > to be enabled. Although parts about adding patches for initiator > > credentials no longer > > applies, this is still fairly useful. > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > enabled, with mounted as > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > commands don't working or something else?) > Well, if the mount is working, you aren't broken. I do recommend against using "soft" or "intr" on NFSv4 mounts, because the locking stuff (which includes file opens) breaks if an RPC gets interrupted. That is on one of the man pages, maybe "man nfsv4". Usually you can't create the keytab entries unless you enable weak authentication, but if you've gotten it working, be happy;-) (DES is used for krb5p and none of the Kerberized NFS stuff works for excryption types with larger keys than 8 bytes, from what I know. I always used des-cbc-crc, because that is what all clients/servers are supposed to support. Once you move away from that, you are experimenting and it works or not.) Have fun with it, rick > > https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup > > Yes, I am talk about this. > > > Anyone willing to improve/update this is more than welcome to do so. (I, > > personally, > > haven't set up a Kerberized NFS for a couple of years and I hate fiddling > > with it. > > When something isn't working, isolating the problem can be very difficult.) > > Yes, I am already see it. > > > Good luck with it, rick > > ps: I put it on google as a wiki so anyone could update it, but I don't > > think > > anyone ever has. As I recall, anyone with a google login can update it. > > > > > Can you give some examples for kerberoized setup, with support cron > > > jobs? > > > _______________________________________________ > > > freebsd-hackers@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > > To unsubscribe, send any mail to > > > "freebsd-hackers-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1312967974.89238067.1447714816355.JavaMail.zimbra>