Re: [PATCH] NFS: Fix keytabless mounts

[NeilBrown <neilb@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]

On Tue, 04 Jun 2013 20:56:31 -0400 Chuck Lever <chuck.lever@oracle.com> wrote:

> Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
> Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
> which forces our NFS client to establish a client ID immediately
> during a mount operation rather than waiting until a user wants to
> open a file.
> 
> Normally machine credentials (eg. from a keytab) are used to perform
> a mount operation that is protected by Kerberos.  Before 05f4c350,
> SETCLIENTID uses a machine credential, or falls back to a regular
> user's credential if no keytab is available.
> 
> 05f4c350 seems to have broken the ability to mount with sec=krb5 on
> clients that don't have a keytab.  Performing SETCLIENTID early
> means there may be no user credential to fall back on, since during
> system initialization no regular user has kinit'd yet.
> 
> Typically, root is required to kinit in this situation anyway to
> make a sec=krb5 mount work.  So, the kernel should try to use root's
> credential for lease management if there's no keytab.
> 
> The new logic should cause the root credential to be tried only
> after both the machine cred and a user cred are found to be
> unavailable.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> 
> Hi Neil-
> 
> Here's a wacky idea to continue our conversation.  Tested just
> enough to confirm it may do something useful.  Applies to 3.7.
> Something similar might work for 3.8 and 3.9.
> 

Thanks Chuck!  Looks interesting.
I'll see if I can get it tested by someone who actually depends on this
working.  I'll let you know how it goes.

NeilBrown

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]