Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

Rick Macklem rmacklem at uoguelph.ca
Mon Apr 14 01:27:41 UTC 2014 

Cedric Blancher wrote:
> On 13 April 2014 01:28, Rick Macklem <rmacklem at uoguelph.ca> wrote:
> > Cedric Blancher wrote:
> >> How hard is it to do this with FreeBSD's NFSv4 implementation?
> >>
> > Well, amd doesn't know how to do nmount(2) { it still uses the old
> > mount(2) syscall } and, as such, can't do an NFSv4 mount.
> > - You can`t automount NFSv4.
> >
> > FreeBSD`s NFSv4 client can do a mount with a user`s credential
> > (no system credential in the default keytab file)
> 
> Which system credential? nfs/, host/ or root/?
> 
Whatever name you wish. The "gssname=<name>" mount option specifies it.
(ie. <name> can be root or nfs or host or whatever else you
 choose to use. Most servers map them to "nobody", although I think a
 Solaris server will map "root" to "root" on the server.)

> > if non-root
> > mounts are enabled, but the mount command must be done manually
> > by the user after logging in.
> 
> No automounter?
> 
FreeBSD's automounter is "amd" and it cannot do NFSv4 mounts, because
it still uses the old mount(2) syscall and not the newer nmount(2)
syscall. (I once took a look and converting it appeared non-trivial,
although it would be nice if someone did the conversion someday;-)

rick

> Ced
> 
> >
> > rick
> >
> >> Ced
> >>
> >> ---------- Forwarded message ----------
> >> From: Wang Shouhua <shouhuaw at gmail.com>
> >> Date: Sat, Apr 12, 2014 at 11:24 AM
> >> Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net
> >> automounter with kinit only (no /etc/krb5.conf access)
> >> To: Kerberos at mit.edu
> >>
> >>
> >> Lets recap:
> >>
> >> 1. Requirements:
> >> - Linux or Solaris
> >> - NFS automounter set up at /net
> >> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
> >> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in
> >> the
> >> realm MOST.GOV.CN, with a subdir of test3
> >>
> >> 2. Goal:
> >> A user provides his password to obtain a ticket for
> >> user2 at MOST.GOV.CN
> >> (optionally nfs at MOST.GOV.CN, if this is a requirement to do a
> >> mount),
> >> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and
> >> do
> >> a
> >> successful ls -al there
> >>
> >> Is that possible?
> >>
> >> Wang
> >>
> >> ---------- Forwarded message ----------
> >> From: Will Fiveash <will.fiveash at oracle.com>
> >> Date: 11 April 2014 22:14
> >> Subject: Re: Accessing Kerberos NFS via /net automounter with
> >> kinit
> >> only (no /etc/krb5.conf access)
> >> To: Wang Shouhua <shouhuaw at gmail.com>
> >> Cc: Kerberos at mit.edu
> >>
> >>
> >> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
> >> > I am on Solaris 10U4 - can I access a NFS filesystem with
> >> > (mandatory)
> >> > krb5p authentication via the Solaris /net automounter with kinit
> >> > only,
> >> > without having r/w access to /etc/krb5.conf access)?
> >>
> >> You'll need to have Solaris krb configured which stores its config
> >> in
> >> /etc/krb5 not /etc as is the MIT default.  You'll also need read
> >> access
> >> to /etc/krb5/krb5.conf and have the system properly configured to
> >> do
> >> NFS
> >> with krb in general (read the Solaris 10 online docs).
> >>
> >> Beyond that, whether a user kinit'ing is enough depends on which
> >> version
> >> of NFS you are using.  On the client side NFSv3 sec=krb5p shares
> >> will
> >> automount if the user triggering the mount has a krb cred in their
> >> ccache (klist will show that) and does not require any keys in the
> >> system keytab nor does it require root to have a krb cred in
> >> general.
> >>
> >> NFSv4 on the other hand does require that the root on the NFS
> >> client
> >> system have a krb cred in its ccache.  This can be done either by
> >> running kinit as root or having at least one set of keys for
> >> either
> >> the
> >> root/<host> or host/<host> service princ in the system keytab
> >> which
> >> will
> >> be automatically used to acquire a krb cred for root.
> >>
> >> On the client system "nfsstat -m" will show what version of NFS is
> >> being
> >> used.
> >>
> >> --
> >> Will Fiveash
> >> Oracle Solaris Software Engineer
> >>
> >>
> >> --
> >> Wang Shouhua - shouhuaw at gmail.com
> >> 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
> >>
> >>
> >> ________________________________________________
> >> Kerberos mailing list           Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >>
> >> --
> >> Cedric Blancher <cedric.blancher at gmail.com>
> >> Institute Pasteur
> >> _______________________________________________
> >> freebsd-hackers at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> >> To unsubscribe, send any mail to
> >> "freebsd-hackers-unsubscribe at freebsd.org"
> 
> 
> 
> --
> Cedric Blancher <cedric.blancher at gmail.com>
> Institute Pasteur
>

More information about the freebsd-hackers mailing list