NFSv4 details and documentations

Tue Dec 1 13:40:20 UTC 2015

On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote:

> Slawa Olhovchenkov wrote:
> > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote:
> > 
> > > In GSS, the host based principal is <some-string>@<host>.<domain>. This
> > > translates to:  <some-string>/<host>.<domain>@<KERBEROS-REALM> in the KDC.
> > 
> > 
> > 
> > > For example:
> > >   nfs-client.my.home - DNS name of the client machine
> > >   MYREALM - Realm for Kerberos KDC
> > >   - I want to have root work as "root".
> > > --> I go to the KDC and create a principal name:
> > >    root/nfs-client.my.home at MYREALM
> > >    --> Then I create a keytab entry for this principal and transfer it to
> > >        /etc/krb5.keytab on the client machine (nfs-client.my.home).
> > >    --> Then I mount with: -o nfsv4,gssname=root
> > >        and non-root users will have to kinit to access the server as
> > >        themselves.
> > 
> > Is there a difference between gssname=host
> > (host/nfs-client.my.home at MYREALM and already exist) and gssname=root
> > (and create and expoprt additional root/nfs-client.my.home at MYREALM)?
> Oops, I was wrong. It shouldn't matter what the name before "@" is in the
> client's keytab entry.
> On old code I did for this (OpenBSD way back when), I had an option on the
> gssd that would look up the name in the passwd database and create credentials
> for that user.
> 
> >From "man gssd" and a look at the code, that was never done for FreeBSD.
> 
> Sorry for misleading you, rick
> ps: If I had done it and you used the option, then "root at ..." would have become
>     "root" on the server, etc.
> 

You plan to use (in this case) in gssd principal
root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM
for root access? Last case is prefered for me, I am create
host/`hostname` in any case (for ssh access), and unnecessary to
create additional root/`hostname`.