Re: NFSv4 backchannel authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 06, 2012 at 03:55:17PM +0200, Lukas Hejtmanek wrote:
> it seems that RHEL NFSv4 servers use GSS authentication for backchannels as
> well (if mount it with GSS). That would be OK, but it requires that server is
> running rpc.gssd and the client is running rpc.svcgssd, which is not usual.

The init scripts probably need to be fixed to start both in both cases.
Worth filing a bug, I think.

> Is there a way how to mount clients with sec=krb5/i/p and use backchannels just
> with UNIX auth?

Not with NFSv4; from http://www.ietf.org/rfc/rfc3530.txt section 3.4:

	"Except as noted elsewhere in this section, the callback RPC
	(described later) MUST mutually authenticate the NFS server to
	the principal that acquired the clientid (also described later),
	using the security flavor the original SETCLIENTID operation
	used."

(Actually, perhaps there's a loophole that would allow SETCLIENTID to be
done with auth_sys while file access is still done with gss.  I don't
think so, but I forget the details.  In practice the clients do all use
gss.)

4.1 does allow the client to request a different security flavor on the
backchannel, and the linux client does use auth_sys on the backchannel
even when using gss on the forechannel.

--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux