NFSv4 details and documentations
Rick Macklem
rmacklem at uoguelph.ca
Tue Dec 1 13:19:31 UTC 2015
Slawa Olhovchenkov wrote:
> On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote:
>
> > In GSS, the host based principal is <some-string>@<host>.<domain>. This
> > translates to: <some-string>/<host>.<domain>@<KERBEROS-REALM> in the KDC.
>
>
>
> > For example:
> > nfs-client.my.home - DNS name of the client machine
> > MYREALM - Realm for Kerberos KDC
> > - I want to have root work as "root".
> > --> I go to the KDC and create a principal name:
> > root/nfs-client.my.home at MYREALM
> > --> Then I create a keytab entry for this principal and transfer it to
> > /etc/krb5.keytab on the client machine (nfs-client.my.home).
> > --> Then I mount with: -o nfsv4,gssname=root
> > and non-root users will have to kinit to access the server as
> > themselves.
>
> Is there a difference between gssname=host
> (host/nfs-client.my.home at MYREALM and already exist) and gssname=root
> (and create and expoprt additional root/nfs-client.my.home at MYREALM)?
Oops, I was wrong. It shouldn't matter what the name before "@" is in the
client's keytab entry.
On old code I did for this (OpenBSD way back when), I had an option on the
gssd that would look up the name in the passwd database and create credentials
for that user.
>From "man gssd" and a look at the code, that was never done for FreeBSD.
Sorry for misleading you, rick
ps: If I had done it and you used the option, then "root at ..." would have become
"root" on the server, etc.
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list