svcgssd
J. Bruce Fields
bfields at fieldses.org
Mon Jul 3 13:36:26 EDT 2006
On Mon, Jul 03, 2006 at 01:23:47PM -0400, bfields wrote:
> When using NFSv4 over rpcsec_gss, NFSv4 names are the *only* names that go
> over the wire.
So, maybe this answers your question: when the server gets an rpc, that rpc
comes with a credential in the rpc header that includes a 32-bit "context id"
with a cryptographic signature. That context id is all the server gets. It
maps the context id back to the gss name it found when the context was
established, and uses that to decide who the user is--there's no name or uid on
the wire.
(That's as long as you're using rpcsec_gss. If you're using traditional
auth_sys authentication, then the server does just get uid's and gid's in the
rpc header.)
--b.
More information about the NFSv4
mailing list