From: Zdenek Salvet <salvet@ics.muni.cz>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
Lukas Hejtmanek <xhejtman@ics.muni.cz>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: NFSv4 backchannel authentication
Date: Wed, 8 Aug 2012 09:58:13 +0200 [thread overview]
Message-ID: <20120808075813.GW604@horn.ics.muni.cz> (raw)
In-Reply-To: <1344355148.5781.31.camel@lade.trondhjem.org>
On Tue, Aug 07, 2012 at 18:12:11 +0200, Lukas Hejtmanek wrote:
> well, ok, thanks for anwsers. However, it seems that while NFS server's name
> is server-home.domain.com (floating name), and true hostname is
> server1.domain.com, it does not matter that callback is authenticated with
> server1.domain.com instead of server-home.domain.com.
>
> Is this expected? Or is it a bug?
It does matter, callback client name must match the name NFS client uses
for server.
We don't see any hard failures because NFS protocol does
not depend on working callback RPCs, but no delegations are granted
(we had nfs-kernel-server package installed on clients before which masked
the bug).
> I would suppose that client rejects authentication of the backchannel from
> server that sends nfs/server1.domain.com KRB principal instead of expected
> nfs/server-home.domain.com.
>
> The client mounts server-home.domain.com with sec=krb5i. Using debugs I can
> see that the server picks up nfs/server1.domain.com key from /etc/krb5.keytab
> and the client seems to be happy with that (context is established).
Server name is checked later, when the context is used for actual callback RPC.
Best regards,
Zdenek Salvet salvet@ics.muni.cz
Institute of Computer Science of Masaryk University, Brno, Czech Republic
and CESNET, z.s.p.o., Prague, Czech Republic
Phone: ++420-549 49 6534 Fax: ++420-541 212 747
----------------------------------------------------------------------------
Teamwork is essential -- it allows you to blame someone else.
next prev parent reply other threads:[~2012-08-08 7:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 13:55 NFSv4 backchannel authentication Lukas Hejtmanek
2012-08-07 15:41 ` J. Bruce Fields
2012-08-07 15:59 ` Myklebust, Trond
2012-08-07 16:12 ` Lukas Hejtmanek
2012-08-08 7:58 ` Zdenek Salvet [this message]
2012-08-08 13:18 ` Myklebust, Trond
2012-08-09 8:06 ` Zdenek Salvet
2012-08-09 14:45 ` J. Bruce Fields
2012-08-09 15:53 ` Myklebust, Trond
2012-08-09 16:28 ` Lukas Hejtmanek
2012-08-09 16:30 ` Myklebust, Trond
2012-08-09 16:38 ` J. Bruce Fields
2012-08-09 16:49 ` Myklebust, Trond
2012-08-09 16:50 ` J. Bruce Fields
2012-08-09 17:58 ` Zdenek Salvet
2012-08-09 18:01 ` [PATCH] README: note gssd/svcgssd may be needed on both sides J. Bruce Fields
2012-08-10 5:20 ` NFSv4 backchannel authentication NeilBrown
2012-08-10 17:23 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120808075813.GW604@horn.ics.muni.cz \
--to=salvet@ics.muni.cz \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=xhejtman@ics.muni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).