From: "J. Bruce Fields" <bfields@fieldses.org>
To: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Cc: linux-nfs@vger.kernel.org
Subject: Re: NFSv4 backchannel authentication
Date: Tue, 7 Aug 2012 11:41:14 -0400 [thread overview]
Message-ID: <20120807154114.GA21460@fieldses.org> (raw)
In-Reply-To: <20120806135517.GS25979@ics.muni.cz>
On Mon, Aug 06, 2012 at 03:55:17PM +0200, Lukas Hejtmanek wrote:
> it seems that RHEL NFSv4 servers use GSS authentication for backchannels as
> well (if mount it with GSS). That would be OK, but it requires that server is
> running rpc.gssd and the client is running rpc.svcgssd, which is not usual.
The init scripts probably need to be fixed to start both in both cases.
Worth filing a bug, I think.
> Is there a way how to mount clients with sec=krb5/i/p and use backchannels just
> with UNIX auth?
Not with NFSv4; from http://www.ietf.org/rfc/rfc3530.txt section 3.4:
"Except as noted elsewhere in this section, the callback RPC
(described later) MUST mutually authenticate the NFS server to
the principal that acquired the clientid (also described later),
using the security flavor the original SETCLIENTID operation
used."
(Actually, perhaps there's a loophole that would allow SETCLIENTID to be
done with auth_sys while file access is still done with gss. I don't
think so, but I forget the details. In practice the clients do all use
gss.)
4.1 does allow the client to request a different security flavor on the
backchannel, and the linux client does use auth_sys on the backchannel
even when using gss on the forechannel.
--b.
next prev parent reply other threads:[~2012-08-07 15:41 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 13:55 NFSv4 backchannel authentication Lukas Hejtmanek
2012-08-07 15:41 ` J. Bruce Fields [this message]
2012-08-07 15:59 ` Myklebust, Trond
2012-08-07 16:12 ` Lukas Hejtmanek
2012-08-08 7:58 ` Zdenek Salvet
2012-08-08 13:18 ` Myklebust, Trond
2012-08-09 8:06 ` Zdenek Salvet
2012-08-09 14:45 ` J. Bruce Fields
2012-08-09 15:53 ` Myklebust, Trond
2012-08-09 16:28 ` Lukas Hejtmanek
2012-08-09 16:30 ` Myklebust, Trond
2012-08-09 16:38 ` J. Bruce Fields
2012-08-09 16:49 ` Myklebust, Trond
2012-08-09 16:50 ` J. Bruce Fields
2012-08-09 17:58 ` Zdenek Salvet
2012-08-09 18:01 ` [PATCH] README: note gssd/svcgssd may be needed on both sides J. Bruce Fields
2012-08-10 5:20 ` NFSv4 backchannel authentication NeilBrown
2012-08-10 17:23 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120807154114.GA21460@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=xhejtman@ics.muni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).