Date: Mon, 16 Nov 2015 18:57:11 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151116155710.GB31314@zxy.spb.ru> In-Reply-To: <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151115152635.GB5854@kib.kiev.ua> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 16, 2015 at 10:40:59AM -0500, Rick Macklem wrote: > Slawa Olhovchenkov wrote: > > On Mon, Nov 16, 2015 at 09:00:09AM -0500, Rick Macklem wrote: > > > > > There is a vfs operation called VFS_SYSCTL(). This isn't implemented on > > > the current NFS client. It was implemented on the old one, but only for > > > NFS locking events and I didn't understand what needed to be done, so I > > > didn't do it. > > > > Rick, I am try to play with NFSv4 and Kerberos and see lack of > > documentation. For example, nowhere documented that access to NFSv4 > > mount do by NFSv3 rules. I.e. I need have /etc/exports with TWO lines: > > > > V4: /NFS -sec=krb5i > > /NFS -sec=krb5i > > > > W/o second lines I got 10020 error (for NFSv4 mount). > > > Well, "man exports" does try and say this (and I've reworded it several times), > but it is confusing. In simple terms, the "V4:" line does not export any file system > and needs to be added to whatever you export via other lines. As I read this: adding '/NFS 127.0.0.1' is enough and secured. But this is wrong: not only exported, access control too. May be for NFS guru this is trivia, but for ordinary users this is confused. > > What current status Kerberos support in NFS client/server? I found > > many posts and wiki pages about lack some functionality, but also see > > many works from you. > > > The main limitation (which comes from the fact that the RPCSEC_GSS implementation > is version 1) is that it expects to use DES, which requires "weak authentication" > to be enabled. Although parts about adding patches for initiator credentials no longer > applies, this is still fairly useful. Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be enabled, with mounted as 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred DES in RPCSEC_GSS? (for me as user, how I can see what broken? some commands don't working or something else?) > https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup Yes, I am talk about this. > Anyone willing to improve/update this is more than welcome to do so. (I, personally, > haven't set up a Kerberized NFS for a couple of years and I hate fiddling with it. > When something isn't working, isolating the problem can be very difficult.) Yes, I am already see it. > Good luck with it, rick > ps: I put it on google as a wiki so anyone could update it, but I don't think > anyone ever has. As I recall, anyone with a google login can update it. > > > Can you give some examples for kerberoized setup, with support cron > > jobs? > > _______________________________________________ > > freebsd-hackers@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151116155710.GB31314>