gss callbacks

J. Bruce Fields bfields at fieldses.org
Tue Jan 15 16:55:45 EST 2008 

Could you apply these two patches?

I was originally hoping to submit them through my tree with an ACK from
you, but now there's conflicts with your tree, so it only makes sense to
submit them on top of all your stuff....

There's also a last server-specific patch which I'll have to send in on
its own after these.

New versions rebased against your latest git tree follow.

--b.

On Thu, Oct 04, 2007 at 05:45:11PM -0400, J. Bruce Fields wrote:
> The following two patches get gss callbacks working on the client side.
> 
> It's really pretty simple: we just modify the server-side cred-creation
> downcall to optionally include the principal name, then compare that to
> the principal name we expect for the given server (as constructed from
> the server name passed down on the mount call).
> 
> Modifications to userland code are also required--svcgssd has to pass
> down the principal on cred creation, and mount has to make a better
> attempt to get the full name of the server.  Kevin has patches for the
> former.  (We haven't looked at the latter yet.)
> 
> The point of all this is to get delegations working over krb5.  With
> these patches that's possible if you mount as root and have a keytab set
> up on your client.
> 
> Some further work would make this more useful in practice:
> 
> 	- the protocol only supports authentication of rpc calls to
> 	  server principals, not to regular user principals.  So none of
> 	  this is useful for clients that don't have keytabs set up.
> 	  There's ways we could make that easier (perhaps even
> 	  automatic).  That's future work, and out of scope for the
> 	  current project.  But that will also be entirely userspace
> 	  work.
> 
> 	- The current client code uses whatever credentials it finds
> 	  available to do setclientid's with.  To take full advantage of
> 	  delegations it should really prefer a server principal
> 	  whenever there's one available.  I haven't thought about how
> 	  to do that.
> 
> There's also a third patch that turns on gss callbacks on the
> server-side.
> 
> I'd be OK either submitting this now or for a future kernel, but either
> way I think we may want to submit it through my tree (with an ACK from
> you), because it has both client- and server- side pieces and is more
> likely to conflict with ongoing work on the server side.  (Currently,
> for example, these two patches don't apply to your tree; see
> 
> 	git://linux-nfs.org/~bfields/linux.git gss-callback
> 
> for a tree including everything.)
> 
> --b.
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

More information about the NFSv4 mailing list