NFSv4 details and documentations
Slawa Olhovchenkov
slw at zxy.spb.ru
Mon Nov 30 16:59:45 UTC 2015
On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote:
> > But this is wrong: not only exported, access control too.
> > May be for NFS guru this is trivia, but for ordinary users this is confused.
> >
> > > > What current status Kerberos support in NFS client/server? I found
> > > > many posts and wiki pages about lack some functionality, but also see
> > > > many works from you.
> > > >
> > > The main limitation (which comes from the fact that the RPCSEC_GSS
> > > implementation
> > > is version 1) is that it expects to use DES, which requires "weak
> > > authentication"
> > > to be enabled. Although parts about adding patches for initiator
> > > credentials no longer
> > > applies, this is still fairly useful.
> >
> > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be
> > enabled, with mounted as
> > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred
> > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some
> > commands don't working or something else?)
> >
> Well, if the mount is working, you aren't broken. I do recommend against
> using "soft" or "intr" on NFSv4 mounts, because the locking stuff
> (which includes file opens) breaks if an RPC gets interrupted.
> That is on one of the man pages, maybe "man nfsv4".
>
> Usually you can't create the keytab entries unless you enable weak authentication,
> but if you've gotten it working, be happy;-)
> (DES is used for krb5p and none of the Kerberized NFS stuff works for
> excryption types with larger keys than 8 bytes, from what I know. I
> always used des-cbc-crc, because that is what all clients/servers are
> supposed to support. Once you move away from that, you are experimenting
> and it works or not.)
mount is working, but all access (from any accounts) go from mounting
credentials (if I mount allgssname,gssname=host -- as root and mapped
to nobody, if I mount as user -- all access as user, root also as
user). What I am missing or missunderstund?
More information about the freebsd-hackers
mailing list