From: "E.G. Keizer" <E.G.Keizer@vu.nl>
To: <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/3] Various gssd fixes including machine-credential issue.
Date: Wed, 5 Jun 2013 16:05:14 +0200 [thread overview]
Message-ID: <51AF459A.1040609@vu.nl> (raw)
First I would like to wholeheartedly support Neil Brown's comment. We at the
Vrije Universiteit in Amsterdam (NL) also have the situation where the Kerberos
administrator does not hand out machine credentials. A lot of Linux users from
the Faculty of Sciences depend on the functionality that lets them access
the NFS file servers with only their user credentials.
Secondly I would like to make a remark on basing client id's on the system's kerberos principal's name.
That same faculty, in the times it had its own IT department, used an identical keytab for
all Linux workstations, using the principal names "[nfs|root|host]/workstation@FEW.VU.NL".
I understand this would lead to severe problems when the client id (co_ownerid) is based
solely in the systems root principal name.
It seems to me that the issues about the client id look like a bag of worms. I've seen that the
newest standard `requires' integrity protection for client id exchanges. I doubt
that that will help when the source code of the NFS client is known and
the client id is guessable. The wisest thing might be to offer different options
and let the administrators pick the one they like best?
Regards,
Ed Keizer
IT department
Vrije Universiteit
Amsterdam
NL
next reply other threads:[~2013-06-05 14:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-05 14:05 E.G. Keizer [this message]
2013-06-05 14:25 ` [PATCH 0/3] Various gssd fixes including machine-credential issue Myklebust, Trond
2013-06-05 14:48 ` E.G. Keizer
2013-06-05 15:14 ` Myklebust, Trond
2013-06-05 15:19 ` Chuck Lever
2013-06-05 15:23 ` Myklebust, Trond
2013-06-05 15:24 ` Chuck Lever
-- strict thread matches above, loose matches on Subject: below --
2013-06-03 1:00 Neil Brown
2013-06-03 2:01 ` Chuck Lever
2013-06-03 2:23 ` NeilBrown
2013-06-03 2:45 ` Chuck Lever
2013-06-03 3:01 ` NeilBrown
2013-06-03 4:32 ` Chuck Lever
2013-06-03 23:30 ` NeilBrown
2013-06-04 1:13 ` Chuck Lever
2013-06-04 19:16 ` Chuck Lever
2013-06-05 1:26 ` NeilBrown
2013-06-05 15:37 ` Chuck Lever
2013-06-05 17:14 ` Chuck Lever
2013-06-05 23:53 ` NeilBrown
2013-06-05 23:43 ` NeilBrown
2013-06-12 6:12 ` NeilBrown
2013-06-12 16:01 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51AF459A.1040609@vu.nl \
--to=e.g.keizer@vu.nl \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).