Host based authentication

[Kevin Coffman]

On 4/18/07, Ian Grant <Ian.Grant at cl.cam.ac.uk> wrote:
> On Wed, 2007-04-18 at 09:56 -0400, Kevin Coffman wrote:
> > On 4/18/07, Ian Grant <Ian.Grant at cl.cam.ac.uk> wrote:
> > > I just want to confirm that I understand correctly: there is no
> > > host-based authentication possible using the NFSV4 machine credentials.
> > > That would contradict the security model of user-based authentication.
> >
> > Since you mentioned machine credentials, I'm assuming we are talking
> > about Kerberos mounts.
> >
> > If you have name/ID mapping like our ldap scheme, then the machine
> > credential can be mapped to a given user.  Is that what you are
> > getting at?  If not, can you explain?
>
> Yes, I mean kerberos mounts, and no, I don't mean mapping the machine
> credentials to one particular user. Rather that the server somehow lets
> the host with machine credentials access files in the way auth-sys
> would. I knew I would look stupid, but I just had to ask. Sorry :-)

Not stupid.  I'm just trying to understand what you're looking for.

With auth-sys, access as root (UID 0) on the client is given root
access on the server.  (Unless root_squashing is enabled, then it is
given access as nobody).

With Kerberos, access as root (UID 0) on the client uses the machine
credentials.  The principal name in those machine credentials
(GSSAuthName in our LDAP schema) can be mapped to any local UID on the
server.  If there is no mapping, then it is given access as nobody.
When using basic nss mapping, there is probably never a mapping for
something like "nfs/bogus.host.name at HOST.NAME", so it will get access
as nobody.

I probably stupid, but I think we are talking about the same thing,
unless I'm missing something in the auth_sys case?

K.C.