Date: Sun, 14 Apr 2024 17:26:06 +0200 From: Andreas Kempe <kempe@lysator.liu.se> To: Rick Macklem <rick.macklem@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <Zhv1jtKU8lRdKOul@shipon.lysator.liu.se> In-Reply-To: <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com> References: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se> <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw@mail.gmail.com> <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com> <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se> <CAM5tNy68W16ut4vR1Y9xxPwaU%2BT%2Bt8fU8dwg3DbfhMT5h5iEDQ@mail.gmail.com> <ZgVKehV_9ePUBdwd@shipon.lysator.liu.se> <CAM5tNy4ye6BwYAZ%2BVYQOgDnSjAmyg%2BCCu=XCm-%2BDZucfrfwgKw@mail.gmail.com> <CAM5tNy4%2BbUc0VMY8i_E9P-pT0CEOXHpKzitMuKYzydH465OBGg@mail.gmail.com> <ZgiIAyDKPlCr1c9C@shipon.lysator.liu.se> <CAM5tNy5GbbZSJ3sOALx6zUkZz_7BJGzQ_63srVK88RFecb_eCQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 30, 2024 at 04:01:50PM -0700, Rick Macklem wrote: > On Sat, Mar 30, 2024 at 2:45 PM Andreas Kempe <kempe@lysator.liu.se> wrote: > > Did you have a look at the owner field in the open reqest that created > > the file? To me, it looks very strange. Could it be that the client > > isn't sending a correct owner in the creation request, causing the > > server to map it to nobody? > The only setable attribute specified by the Open request is "mode". > That just means that the server is expected to create the file with > an ownership of the Kerberos principal used in the RPC credentials. > > Now, if you are doing the RPC as root, that will result in nobody (or > a failure to create the file, depending upon directory permissions). > There is no way to know what user principal is represented by the > RPCSEC_GSS credentials, since they are a shorthand for the > Kerberos credentials presented in a Null RPC that happens > when there is no credential. > > When creating a file, the user creating the file will need to have > a valid TGT in the client's credential cache. > > And the user principal name (without @REALM) must be a name > in the passwd database. > After having let this brew in the back of my mind for a while, I realised what the issue was thanks to you explaining the use of the principal to figure out the user. For our usecase, I wanted to only authenticate the machine because users have cronjobs running in their home directories, users want to access each other's files and log in using SSH keys. I was mounting using -o nfsv4,sec=krb5p,allgssname,gssname=host thinking that allgssname would allow users to use the machine's principal and that ownership information would be sent along with the requests. From what you wrote, Rick, I gather that this causes all users to be mapped to nobody because the machine's principal is used. Removing allgssname and doing a kinit has things working as expected when I mount using -o nfsv4,sec=krb5p,gssname=host and makes me own files I create. Am I correct in thinking that Kerberos isn't really designed to be used for only authenticating the machine? Users having to always have their own valid Kerberos ticket doesn't really work for us. Best regards, Andreas Kempe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Zhv1jtKU8lRdKOul>