From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:40:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4D2EA3DA96 for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id CA7CB18EC for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id C729BA3DA95; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6BCEA3DA94 for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F2E518EB for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3lA9-0006HZ-P1; Tue, 01 Dec 2015 16:40:09 +0300 Date: Tue, 1 Dec 2015 16:40:09 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201134009.GG31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:40:20 -0000 On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote: > Slawa Olhovchenkov wrote: > > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > > > > > In GSS, the host based principal is @.. This > > > translates to: /.@ in the KDC. > > > > > > > > > For example: > > > nfs-client.my.home - DNS name of the client machine > > > MYREALM - Realm for Kerberos KDC > > > - I want to have root work as "root". > > > --> I go to the KDC and create a principal name: > > > root/nfs-client.my.home@MYREALM > > > --> Then I create a keytab entry for this principal and transfer it to > > > /etc/krb5.keytab on the client machine (nfs-client.my.home). > > > --> Then I mount with: -o nfsv4,gssname=root > > > and non-root users will have to kinit to access the server as > > > themselves. > > > > Is there a difference between gssname=host > > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root > > (and create and expoprt additional root/nfs-client.my.home@MYREALM)? > Oops, I was wrong. It shouldn't matter what the name before "@" is in the > client's keytab entry. > On old code I did for this (OpenBSD way back when), I had an option on the > gssd that would look up the name in the passwd database and create credentials > for that user. > > >From "man gssd" and a look at the code, that was never done for FreeBSD. > > Sorry for misleading you, rick > ps: If I had done it and you used the option, then "root@..." would have become > "root" on the server, etc. > You plan to use (in this case) in gssd principal root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM for root access? Last case is prefered for me, I am create host/`hostname` in any case (for ssh access), and unnecessary to create additional root/`hostname`.