Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

Sat Apr 12 23:28:56 UTC 2014

Cedric Blancher wrote:
> How hard is it to do this with FreeBSD's NFSv4 implementation?
> 
Well, amd doesn't know how to do nmount(2) { it still uses the old
mount(2) syscall } and, as such, can't do an NFSv4 mount.
- You can`t automount NFSv4.

FreeBSD`s NFSv4 client can do a mount with a user`s credential
(no system credential in the default keytab file) if non-root
mounts are enabled, but the mount command must be done manually
by the user after logging in.

rick

> Ced
> 
> ---------- Forwarded message ----------
> From: Wang Shouhua <shouhuaw at gmail.com>
> Date: Sat, Apr 12, 2014 at 11:24 AM
> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net
> automounter with kinit only (no /etc/krb5.conf access)
> To: Kerberos at mit.edu
> 
> 
> Lets recap:
> 
> 1. Requirements:
> - Linux or Solaris
> - NFS automounter set up at /net
> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the
> realm MOST.GOV.CN, with a subdir of test3
> 
> 2. Goal:
> A user provides his password to obtain a ticket for user2 at MOST.GOV.CN
> (optionally nfs at MOST.GOV.CN, if this is a requirement to do a mount),
> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do
> a
> successful ls -al there
> 
> Is that possible?
> 
> Wang
> 
> ---------- Forwarded message ----------
> From: Will Fiveash <will.fiveash at oracle.com>
> Date: 11 April 2014 22:14
> Subject: Re: Accessing Kerberos NFS via /net automounter with kinit
> only (no /etc/krb5.conf access)
> To: Wang Shouhua <shouhuaw at gmail.com>
> Cc: Kerberos at mit.edu
> 
> 
> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
> > I am on Solaris 10U4 - can I access a NFS filesystem with
> > (mandatory)
> > krb5p authentication via the Solaris /net automounter with kinit
> > only,
> > without having r/w access to /etc/krb5.conf access)?
> 
> You'll need to have Solaris krb configured which stores its config in
> /etc/krb5 not /etc as is the MIT default.  You'll also need read
> access
> to /etc/krb5/krb5.conf and have the system properly configured to do
> NFS
> with krb in general (read the Solaris 10 online docs).
> 
> Beyond that, whether a user kinit'ing is enough depends on which
> version
> of NFS you are using.  On the client side NFSv3 sec=krb5p shares will
> automount if the user triggering the mount has a krb cred in their
> ccache (klist will show that) and does not require any keys in the
> system keytab nor does it require root to have a krb cred in general.
> 
> NFSv4 on the other hand does require that the root on the NFS client
> system have a krb cred in its ccache.  This can be done either by
> running kinit as root or having at least one set of keys for either
> the
> root/<host> or host/<host> service princ in the system keytab which
> will
> be automatically used to acquire a krb cred for root.
> 
> On the client system "nfsstat -m" will show what version of NFS is
> being
> used.
> 
> --
> Will Fiveash
> Oracle Solaris Software Engineer
> 
> 
> --
> Wang Shouhua - shouhuaw at gmail.com
> 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> --
> Cedric Blancher <cedric.blancher at gmail.com>
> Institute Pasteur
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to
> "freebsd-hackers-unsubscribe at freebsd.org"