[36043] in Kerberos
Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Apr 15 14:49:19 2014
Date: Tue, 15 Apr 2014 13:48:44 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20140415184844.GA25384@oracle.com>
Mail-Followup-To: Nico Williams <nico@cryptonector.com>,
Wang Shouhua <shouhuaw@gmail.com>,
"kerberos@mit.edu" <Kerberos@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAK3OfOhfZrUt4Rq6z5=Z29CVsLA_H=9G67TD6+bm27nGuguVXQ@mail.gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 15, 2014 at 11:36:34AM -0500, Nico Williams wrote:
> Will,
>
> Mobile devices don't really have stable hostnames, so the system
> should support non-hostbased host/root credentials.
If you are referring to the NFS v4 client requiring root have a krb cred
in order to function as I described in an earlier e-mail I would ask why
NFS v4 clients require root to have a krb cred in the first place (NFS
v3 doesn't as you may recall)? As you can imagine, many IT departments
would balk (putting it mildly) if they were asked to provision keytabs
on laptops or other mobile devices that need access to krb protected NFS
v4 shares.
As to how that requirement happened, according to one of the NFSv4
developers here that regularly attends Connectathon, the consensus among
the NFS v4 implementors for various Linux platforms was that a properly
configured NFS v4 client meant it had a keytab containing host service
princ keys which could then be leveraged to protect the lease renewal
traffic. My opinion is that unless there is a very good reason to
protect that traffic, krb protection for lease renewal traffic should be
optional, depending on configuration.
--
Will Fiveash
Oracle Solaris Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
