From: "J. Bruce Fields" <bfields@fieldses.org>
To: Simo Sorce <simo@redhat.com>
Cc: bfields@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 4/5] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth
Date: Tue, 17 Apr 2012 18:28:25 -0400 [thread overview]
Message-ID: <20120417222825.GA32619@fieldses.org> (raw)
In-Reply-To: <1334669948-4156-5-git-send-email-simo@redhat.com>
On Tue, Apr 17, 2012 at 09:39:07AM -0400, Simo Sorce wrote:
> This patch implements a sunrpc client to use the services of the gssproxy
> userspace daemon.
>
> In particular it allows to perform calls in user space using an RPC
> call instead of custom hand-coded upcall/downcall messages.
The "hand-coded" messages aren't really particularly hard to generate or
parse. Let's just drop that argument.
> Currently only accept_sec_context is implemented as that is all is needed for
> the server case.
>
> File server modules like NFS and CIFS can use full gssapi services this way,
> once init_sec_context is also implemented.
What's the situation with CIFS, by the way? (How does it currently do
gssapi, and what are their plans?)
> For the NFS server case this code allow to lift the limit of max 2k krb5
> tickets. This limit is prevents legitimate kerberos deployments from using krb5
> authentication with the Linux NFS server as they have normally ticket that are
> many kilobytes large.
>
> It will also allow to lift the limitation on the size of the credential set
> (uid,gid,gids) passed down from user space for users that have very many groups
> associated. Currently the downcall mechanism used by rpc.svcgssd is limited
> to around 2k secondary groups of the 65k allowed by kernel structures.
Remind me what remains to be done before that works?
--b.
next prev parent reply other threads:[~2012-04-17 22:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-17 13:39 [PATCH 0/5] [RFC] Add support for new upcall mechanism for nfsd Simo Sorce
2012-04-17 13:39 ` [PATCH 1/5] SUNRPC: Document a bit RPCGSS handling in the NFS Server Simo Sorce
2012-04-17 13:39 ` [PATCH 2/5] SUNRPC: conditionally return endtime from import_sec_context Simo Sorce
2012-04-17 13:39 ` [PATCH 3/5] SUNRPC: split upcall function to extract reusable parts Simo Sorce
2012-04-17 21:56 ` J. Bruce Fields
2012-04-17 13:39 ` [PATCH 4/5] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth Simo Sorce
2012-04-17 22:28 ` J. Bruce Fields [this message]
2012-04-17 23:00 ` Simo Sorce
[not found] ` <20120417222825.GA32619-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2012-04-18 10:59 ` Jeff Layton
2012-04-18 10:59 ` Jeff Layton
2012-04-17 13:39 ` [PATCH 5/5] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication Simo Sorce
2012-04-17 13:46 ` [PATCH 0/5] [RFC] Add support for new upcall mechanism for nfsd Simo Sorce
-- strict thread matches above, loose matches on Subject: below --
2013-04-15 19:35 [PATCH 0/5] (v4) gss-proxy upcall " J. Bruce Fields
2013-04-15 19:35 ` [PATCH 4/5] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120417222825.GA32619@fieldses.org \
--to=bfields@fieldses.org \
--cc=bfields@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.