NFSv4 details and documentations

Rick Macklem rmacklem at uoguelph.ca
Tue Dec 1 13:19:31 UTC 2015


Slawa Olhovchenkov wrote:
> On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote:
> 
> > In GSS, the host based principal is <some-string>@<host>.<domain>. This
> > translates to:  <some-string>/<host>.<domain>@<KERBEROS-REALM> in the KDC.
> 
> 
> 
> > For example:
> >   nfs-client.my.home - DNS name of the client machine
> >   MYREALM - Realm for Kerberos KDC
> >   - I want to have root work as "root".
> > --> I go to the KDC and create a principal name:
> >    root/nfs-client.my.home at MYREALM
> >    --> Then I create a keytab entry for this principal and transfer it to
> >        /etc/krb5.keytab on the client machine (nfs-client.my.home).
> >    --> Then I mount with: -o nfsv4,gssname=root
> >        and non-root users will have to kinit to access the server as
> >        themselves.
> 
> Is there a difference between gssname=host
> (host/nfs-client.my.home at MYREALM and already exist) and gssname=root
> (and create and expoprt additional root/nfs-client.my.home at MYREALM)?
Oops, I was wrong. It shouldn't matter what the name before "@" is in the
client's keytab entry.
On old code I did for this (OpenBSD way back when), I had an option on the
gssd that would look up the name in the passwd database and create credentials
for that user.

>From "man gssd" and a look at the code, that was never done for FreeBSD.

Sorry for misleading you, rick
ps: If I had done it and you used the option, then "root at ..." would have become
    "root" on the server, etc.

> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
> 


More information about the freebsd-hackers mailing list