From owner-freebsd-hackers@freebsd.org Mon Nov 30 23:08:25 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72EEBA3DEE6 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 46A581F80 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 45288A3DEE5; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43D74A3DEE4 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id E82F81F7F for ; Mon, 30 Nov 2015 23:08:24 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:SlQhqhUKP+eq7CUSTTrs34iC46rV8LGtZVwlr6E/grcLSJyIuqrYZhGDt8tkgFKBZ4jH8fUM07OQ6PC9HzxRqs7e+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5K6zPF5LIiIzvjqbpq8CVM1QD3GX1SIgxBSv1hD2ZjtMRj4pmJ/R54TryiVwMRd5rw3h1L0mYhRf265T41pdi9yNNp6BprJYYAu2pN5g/GIdcBSsve0cx5Mr1vhnOSwiI+DNISWEJughYEk7e9Bu8RIqn4QXgse8o4iiRPoXTRLs3XTmnp/NxTRbjiyMKMhYk927Kh8hojORQqUTy9FRE34fIbdTNZ7JFdaTHcIZCSA== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DOAQAr1lxW/61jaINYBQGFA74qAQ2BZoYPAoFwFAEBAQEBAQEBgQmCLYIIAQEEIwRSEAIBCA4KAgINCAIPAgJXAgSIQasbkHoBAQEBAQEEAQEBAQEBARyBAYVThH6EQghuAYI8gUQFjSJ2iD+PE5cUg3ACHwEBQoIOIIF0IIUegQcBAQE X-IronPort-AV: E=Sophos;i="5.20,366,1444708800"; d="scan'208";a="253502262" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 30 Nov 2015 18:08:17 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 5BAE115F56D; Mon, 30 Nov 2015 18:08:17 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id kpYoYs-V1hn3; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id D874115F574; Mon, 30 Nov 2015 18:08:16 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dqmvBX2Wc2Ax; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 86D4B15F571; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Date: Mon, 30 Nov 2015 18:08:16 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151130165940.GB31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: 2ngg8IZO4VTo+6TW+XnQmV20rniKVQ== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:08:25 -0000 Slawa Olhovchenkov wrote: > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > But this is wrong: not only exported, access control too. > > > May be for NFS guru this is trivia, but for ordinary users this is > > > confused. > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > many posts and wiki pages about lack some functionality, but also see > > > > > many works from you. > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > implementation > > > > is version 1) is that it expects to use DES, which requires "weak > > > > authentication" > > > > to be enabled. Although parts about adding patches for initiator > > > > credentials no longer > > > > applies, this is still fairly useful. > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > enabled, with mounted as > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > commands don't working or something else?) > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > (which includes file opens) breaks if an RPC gets interrupted. > > That is on one of the man pages, maybe "man nfsv4". > > > > Usually you can't create the keytab entries unless you enable weak > > authentication, > > but if you've gotten it working, be happy;-) > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > excryption types with larger keys than 8 bytes, from what I know. I > > always used des-cbc-crc, because that is what all clients/servers are > > supposed to support. Once you move away from that, you are experimenting > > and it works or not.) > > mount is working, but all access (from any accounts) go from mounting > credentials (if I mount allgssname,gssname=host -- as root and mapped > to nobody, if I mount as user -- all access as user, root also as > user). What I am missing or missunderstund? > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. It depends on what you called the host-based principal in your /etc/krb5.keytab. If you use "root@.", then system operations are done as "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" ends up as "nobody". The most common variant of the mount (which requires a host-based credential in /etc/krb5.keytab on the client) is done with gssname=host (but not "allgssname"). (Note that "host" here implies that the principal for the host-based credential is "host@.". --> What is after the "=" above is what is before the "@" in the host based principal name.) Then system operations are done as nobody, but users are done as that user (they need to "kinit"). The "allgssname" is an odd case for some server no one logs into, which says "do everything as the host based credential. --> If you need "root" access, you must put a "root" principal name in your KDC and then create the host-based credential for /etc/krb5.keytab using the principal name "root@.". Yes, it is confusing, but that's Kerberos for you;-) rick > > >