RE: NFSv4 security negotiation issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Frank Filz" <ffilzlnx@mindspring.com>
To: "'Chuck Lever'" <chuck.lever@oracle.com>
Cc: "'Linux NFS Mailing List'" <linux-nfs@vger.kernel.org>
Subject: RE: NFSv4 security negotiation issue
Date: Tue, 15 Sep 2015 11:45:18 -0700	[thread overview]
Message-ID: <01ae01d0efe6$bac7d7c0$30578740$@mindspring.com> (raw)
In-Reply-To: <242A24C3-0D5F-4181-9E99-E8E9EDE12190@oracle.com>

> On Sep 15, 2015, at 1:41 PM, Frank Filz <ffilzlnx@mindspring.com> wrote:
> 
> >> There are two shares on the server.
> >>
> >> The share being mounted is /export/CTHON. It is a sys-only share. No
> > "sec="
> >> option is used on the mount command. The expected outcome is that the
> >> mount will succeed and use sec=sys.
> >>
> >> The share that is not being mounted here is /export/KRB5.
> >> It is shared with at least krb5i, which means the set of flavors the
> > server
> >> accepts for the pseudofs includes both krb5i and sys.
> >>
> >> The client has already negotiated krb5i to access the pseudofs. I see
> >> a PUTROOTFH using krb5i and it is successful. The negotiation is not
> >> in the
> > trace
> >> I have.
> >>
> >> I see a number of GETATTRs then a LOOKUP /export, all with krb5i, all
> >> successful.
> >>
> >> Using krb5i, LOOKUP /CTHON, which fails with WRONGSEC.
> >>
> >> Client recovers with SECINFO on /CTHON using krb5i. The server
> >> responds with a list containing just AUTH_UNIX.
> >>
> >> Client tries the LOOKUP /CTHON again, now with sys. It works.
> >>
> >> Similar GETATTR activity using sys as the client mounts this share.
> >>
> >> Then one last GETATTR, this time using krb5i. The FH is the
> >> /export/CTHON directory. This fails with WRONGSEC.
> >>
> >> The attr mask here is Supported Attrs, FH_Expire_type, Link_Support,
> >> Symlink_Support, ACLSupport. This is from nfs4_server_capabilities(),
> > which
> >> is invoked only in nfs4_proc_get_rootfh() and nfs4_proc_get_root().
> >>
> >> The next operation OTW is a RENEW that happens a minute later.
> >
> > From that sequence, I'm pretty sure we want to fix this in the client
> > not the server.
> >
> > Hmm, did fsid change?
> 
> I'm not sure how to tell. The working LOOKUP operations on parent/CTHON
> always return the same FSID.

I should have been more clear... Is the fsid for /export different from the
fsid for /export/CTHON? If it changes that should produce a new superblock.

> > Does the mount work if sec=sys is specified?
> 
> Yes.

And with different mount options, a different superblock should definitely
be created.

I wonder if there is some way we can push up the security negotiation to
help identify a new superblock is necessary, equivalent to having a
different mount option?

Frank


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

next prev parent reply	other threads:[~2015-09-15 18:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-15 15:52 NFSv4 security negotiation issue Chuck Lever
2015-09-15 16:33 ` Frank Filz
2015-09-15 17:15   ` Chuck Lever
2015-09-15 17:41     ` Frank Filz
2015-09-15 18:17       ` Chuck Lever
2015-09-15 18:45         ` Frank Filz [this message]
2015-09-15 19:11           ` Chuck Lever
2015-09-15 20:28             ` Frank Filz
2015-09-15 20:36               ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='01ae01d0efe6$bac7d7c0$30578740$@mindspring.com' \
    --to=ffilzlnx@mindspring.com \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.