Date: Sun, 13 Apr 2014 16:06:06 +0200 From: Cedric Blancher <cedric.blancher@gmail.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) Message-ID: <CALXu0Uc5eDSuv=KXk27-OC6ZwJ8mhjPBG=VW_4A8r0NGYpaGdw@mail.gmail.com> In-Reply-To: <703720810.10243218.1397345329008.JavaMail.root@uoguelph.ca> References: <CALXu0Ucy0wQgK-M%2Bu1YgVvR45NOxVcggCr_mbDDzysJOmdmvKg@mail.gmail.com> <703720810.10243218.1397345329008.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13 April 2014 01:28, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> Cedric Blancher wrote:
>> How hard is it to do this with FreeBSD's NFSv4 implementation?
>>
> Well, amd doesn't know how to do nmount(2) { it still uses the old
> mount(2) syscall } and, as such, can't do an NFSv4 mount.
> - You can`t automount NFSv4.
>
> FreeBSD`s NFSv4 client can do a mount with a user`s credential
> (no system credential in the default keytab file)
Which system credential? nfs/, host/ or root/?
> if non-root
> mounts are enabled, but the mount command must be done manually
> by the user after logging in.
No automounter?
Ced
>
> rick
>
>> Ced
>>
>> ---------- Forwarded message ----------
>> From: Wang Shouhua <shouhuaw@gmail.com>
>> Date: Sat, Apr 12, 2014 at 11:24 AM
>> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net
>> automounter with kinit only (no /etc/krb5.conf access)
>> To: Kerberos@mit.edu
>>
>>
>> Lets recap:
>>
>> 1. Requirements:
>> - Linux or Solaris
>> - NFS automounter set up at /net
>> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
>> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the
>> realm MOST.GOV.CN, with a subdir of test3
>>
>> 2. Goal:
>> A user provides his password to obtain a ticket for user2@MOST.GOV.CN
>> (optionally nfs@MOST.GOV.CN, if this is a requirement to do a mount),
>> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do
>> a
>> successful ls -al there
>>
>> Is that possible?
>>
>> Wang
>>
>> ---------- Forwarded message ----------
>> From: Will Fiveash <will.fiveash@oracle.com>
>> Date: 11 April 2014 22:14
>> Subject: Re: Accessing Kerberos NFS via /net automounter with kinit
>> only (no /etc/krb5.conf access)
>> To: Wang Shouhua <shouhuaw@gmail.com>
>> Cc: Kerberos@mit.edu
>>
>>
>> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
>> > I am on Solaris 10U4 - can I access a NFS filesystem with
>> > (mandatory)
>> > krb5p authentication via the Solaris /net automounter with kinit
>> > only,
>> > without having r/w access to /etc/krb5.conf access)?
>>
>> You'll need to have Solaris krb configured which stores its config in
>> /etc/krb5 not /etc as is the MIT default. You'll also need read
>> access
>> to /etc/krb5/krb5.conf and have the system properly configured to do
>> NFS
>> with krb in general (read the Solaris 10 online docs).
>>
>> Beyond that, whether a user kinit'ing is enough depends on which
>> version
>> of NFS you are using. On the client side NFSv3 sec=3Dkrb5p shares will
>> automount if the user triggering the mount has a krb cred in their
>> ccache (klist will show that) and does not require any keys in the
>> system keytab nor does it require root to have a krb cred in general.
>>
>> NFSv4 on the other hand does require that the root on the NFS client
>> system have a krb cred in its ccache. This can be done either by
>> running kinit as root or having at least one set of keys for either
>> the
>> root/<host> or host/<host> service princ in the system keytab which
>> will
>> be automatically used to acquire a krb cred for root.
>>
>> On the client system "nfsstat -m" will show what version of NFS is
>> being
>> used.
>>
>> --
>> Will Fiveash
>> Oracle Solaris Software Engineer
>>
>>
>> --
>> Wang Shouhua - shouhuaw@gmail.com
>> =D6=D0=BB=AA=C8=CB=C3=F1=B9=B2=BA=CD=B9=FA=BF=C6=D1=A7=BC=BC=CA=F5=B2=BF=
- HTTP://WWW.MOST.GOV.CN
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> --
>> Cedric Blancher <cedric.blancher@gmail.com>
>> Institute Pasteur
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to
>> "freebsd-hackers-unsubscribe@freebsd.org"
--=20
Cedric Blancher <cedric.blancher@gmail.com>
Institute Pasteur
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALXu0Uc5eDSuv=KXk27-OC6ZwJ8mhjPBG=VW_4A8r0NGYpaGdw>