On Fri, 2018-05-18 at 11:39 -0400, Chuck Lever wrote: > I've been experimenting with this series that modifies NFSD to > discover and use the correct GSS service principal when constructing > its NFSv4.0 callback channels. I'm interested in review of this > approach. There are a couple of code comments marked with XXX that > also need some attention. > > The rpc.gssd change mentioned in 1/4 is unremarkable and will be > made available once there is consensus about the kernel changes > in this series. No gssproxy changes are necessary. > > --- > > Chuck Lever (4): > sunrpc: Enable the kernel to specify the hostname part of service principals > sunrpc: Extract target name into svc_cred > nfsd: Use correct credential for NFSv4.0 callback with GSS > nfsd: Remove callback_cred > > > fs/nfsd/nfs4callback.c | 29 ++++---------- > fs/nfsd/nfs4state.c | 17 +++----- > fs/nfsd/state.h | 2 - > include/linux/sunrpc/svcauth.h | 3 + > net/sunrpc/auth_gss/auth_gss.c | 20 ++++++++-- > net/sunrpc/auth_gss/gss_rpc_upcall.c | 70 ++++++++++++++++++++++------------ > 6 files changed, 80 insertions(+), 61 deletions(-) > > -- > Chuck Lever Ack for the sunrpc gssp changes. The one thing I am unsure of is whether always using the source name as the callback target is going to work properly, and what happens when it is not. Machines mounting with NFSv4.0 but without machine credentials (ie: root kinits to admin@xxxxxxx and uses those creds to mount) will always fail to establish a callback because the NFS client's kernel does not have access to the user long term key. So even if the KDC would decide to allow you to get a ticket for a user principal, the client would not be able to complete context establishment. Maybe a fallback behavior where it tries to guess at a possible machine service name would be valuable for cases where a machine credential is actually available on the client host even though for whatever reason the mount was done using some user credential. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
