Re: [PATCH] Adding the nfs4_secure_mounts bool

[NeilBrown <neilb@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 1433 bytes --]

On Wed, 13 Nov 2013 04:15:26 +0000 "Myklebust, Trond"
<Trond.Myklebust@netapp.com> wrote:

> On Tue, 2013-11-12 at 22:46 -0500, J. Bruce Fields wrote:
> 
> > OK, but it still seems dumb to even attempt the reverse lookup: the
> > lookup probably isn't secure, and the mount commandline should have a
> > name that we can match to a krb5 principal without needing any other
> > lookups.
> > 
> > So I'd think reasonable behavior in this case would be to just try the
> > IP address on the chance there's actually an nfs/x.y.z.w@REALM
> > principal.  (Or just fail outright if kerberos doesn't allow principals
> > that look like that.)
> 
> Looking through the krb5.conf manpage etc it looks as if a lot of this
> functionality should be covered by the krb protocol itself without us
> needing to do explicit reverse lookups in rpc.gssd. I'm thinking of the
> 'canonicalize' and 'rdns' options, for instance. Am I wrong?
> 

I suspect there is a good chance that you are correct, though my man page
only mentions "rdns", not "canonicalize" so there may be some version
dependency to think about.

However I think fixing this is a separate (though related) issue to fixing my
current problem and would probably require more code examination and testing
than I feel inclined to at the moment.  So I'll leave this side of the
question alone and just fix the bit that is clearly broken.

Thanks,
NeilBrown

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]