From: NeilBrown <neilb@suse.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Steve Dickson <SteveD@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 0/3] Various gssd fixes including machine-credential issue.
Date: Mon, 3 Jun 2013 13:01:01 +1000 [thread overview]
Message-ID: <20130603130101.4acfe706@notabene.brown> (raw)
In-Reply-To: <0016A272-E433-4020-91FE-45A5EE494296@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2766 bytes --]
On Sun, 2 Jun 2013 22:45:16 -0400 Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On Jun 2, 2013, at 10:23 PM, NeilBrown <neilb@suse.de> wrote:
>
> > On Sun, 2 Jun 2013 22:01:50 -0400 Chuck Lever <chuck.lever@oracle.com> wrote:
> >
> >>
> >> On Jun 2, 2013, at 9:00 PM, Neil Brown <neilb@suse.de> wrote:
> >>
> >>> As you probably know, since 3.7 (I think) Linux NFS has explicitly
> >>> asked for machine credentials for certain requests rather than asking
> >>> for root credentials as is previously did.
> >>> This causes a regression for people who don't have any machine
> >>> credentials configured and use "gssd -n".
> >>>
> >>> I gather this was discussed on the mailing list earlier this year but
> >>> not resolved.
> >>
> >> It's resolved in 3.10-rc.
> >>
> >> The kernel will attempt to use krb5i for lease management operations. If that fails because there is no keytab available, it falls back to using AUTH_SYS.
> >
> > And if the server refuses to accept AUTH_SYS?
> >
> > I guess this is commit 79d852bf5e7691dc7 ??
>
> That's one of the subsequent bug fixes. The initial change is commit 4edaa308.
>
> > It seems to say that the server should always accept AUTH_SYS ... is that right?
>
> If we ever find a server implementation that does not support either Kerberos or AUTH_SYS, we can add another step to the negotiation.
>
> So far, despite RFC 3530 not requiring AUTH_SYS support on NFSv4 servers, I haven't found an implementation that does not support AUTH_SYS. We have found one (FreeBSD) that does not support AUTH_NONE. We do know that some servers allow administrators to control what security flavors are allowed for lease management.
>
> > That commit isn't tagged for -stable.
> > So do we still need to make it work for 3.7,3.8,3.9 users?
>
> There are several commits that would need to be back-ported, starting with commit 4edaa308. I am not certain they would apply cleanly to 3.[789], but a backport should not be difficult.
>
> This change also requires that now gssd must be running on the client. Otherwise without gssd a sec=sys mount hangs for a bit waiting for the upcall to time out (since the client will attempt to use krb5i for lease management operations). Trond and Bruce have been discussing a change to address that.
Thanks for the explanation. That all looks rather painful to back-port
though, especially as some of it isn't even written yet :-)
I think I'll stick with my "-N" option for openSUSE for now.
Do you think that supporting -N (or similar) so that the admin can ask for
root credentials to be used for SETCLIENTID requests is reasonable? i.e. what
do you think of my patch going in to nfs-utils anyway?
Thanks,
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2013-06-03 3:01 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-03 1:00 [PATCH 0/3] Various gssd fixes including machine-credential issue Neil Brown
2013-06-03 1:00 ` [PATCH 1/3] krb5_utils: remove redundant array size Neil Brown
2013-07-01 16:05 ` Steve Dickson
2013-06-03 1:00 ` [PATCH 3/3] gssd: add -N option to use root credentials as machine credentials Neil Brown
2013-07-01 16:23 ` Steve Dickson
2013-07-01 21:35 ` NeilBrown
2013-06-03 1:00 ` [PATCH 2/3] krb5_util: don't give up on machine credential if hostname not available Neil Brown
2013-07-01 16:22 ` Steve Dickson
2013-07-01 21:56 ` NeilBrown
2013-07-02 12:29 ` Steve Dickson
2013-07-02 12:29 ` Steve Dickson
2013-06-03 2:01 ` [PATCH 0/3] Various gssd fixes including machine-credential issue Chuck Lever
2013-06-03 2:23 ` NeilBrown
2013-06-03 2:45 ` Chuck Lever
2013-06-03 3:01 ` NeilBrown [this message]
2013-06-03 4:32 ` Chuck Lever
2013-06-03 23:30 ` NeilBrown
2013-06-04 1:13 ` Chuck Lever
2013-06-04 19:16 ` Chuck Lever
2013-06-05 1:26 ` NeilBrown
2013-06-05 15:37 ` Chuck Lever
2013-06-05 17:14 ` Chuck Lever
2013-06-05 23:53 ` NeilBrown
2013-06-05 23:43 ` NeilBrown
2013-06-12 6:12 ` NeilBrown
2013-06-12 16:01 ` Chuck Lever
-- strict thread matches above, loose matches on Subject: below --
2013-06-05 14:05 E.G. Keizer
2013-06-05 14:25 ` Myklebust, Trond
2013-06-05 14:48 ` E.G. Keizer
2013-06-05 15:14 ` Myklebust, Trond
2013-06-05 15:19 ` Chuck Lever
2013-06-05 15:23 ` Myklebust, Trond
2013-06-05 15:24 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130603130101.4acfe706@notabene.brown \
--to=neilb@suse.de \
--cc=SteveD@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.