* sec=krb5 feature or bug??
@ 2023-04-02 23:14 Rick Macklem
2023-04-03 16:57 ` Olga Kornievskaia
0 siblings, 1 reply; 2+ messages in thread
From: Rick Macklem @ 2023-04-02 23:14 UTC (permalink / raw
To: Linux NFS Mailing List
Hi,
I've been testing a Linxu 5.15 NFSv4.2 client against a
FreeBSD server to test recently added SP4_MACH_CRED
support in the FreeBSD server.
I noticed the following oddity, which I thought I'd report
in case it is considered a bug and not a feature.
I do a mount like:
# mount -t nfs -o nfsvers=4,sec=krb5 nfsv4-server:/ /mnt
#
- When looking at the packet capture during the mount,
the ExchangeID, CreateSession and ReclaimComplete
are done with integrity (ie. krb5i) and ExchangeID uses
SP4_MACH_CRED.
- Then, subsequent RPCs do not use integrity, as I would
have assumed, given the "sec=krb5" argument.
However, some subsequent RPCs in the must_allow ops
list for SP4_MACH_CRED choose to use the "machine
principal" and do krb5i.
It just seems weird that it mixes krb5 and krb5i. I had
not expected it to use SP4_MACH_CRED when
"sec=krb5" was specified.
However, it seems to work fine this way, so I can see
the argument that this is a "feature" and not a bug.
Just fyi, rick
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: sec=krb5 feature or bug??
2023-04-02 23:14 sec=krb5 feature or bug?? Rick Macklem
@ 2023-04-03 16:57 ` Olga Kornievskaia
0 siblings, 0 replies; 2+ messages in thread
From: Olga Kornievskaia @ 2023-04-03 16:57 UTC (permalink / raw
To: Rick Macklem; +Cc: Linux NFS Mailing List
Hi Rick,
That's by design (rather that's what spec says? It may be rfc 8881
2.4.3 and probably somewhere else that ops that are done with machine
creds must use the same gss flavor? ). All state operations are done
with sec=krb5i (if kerberos is configured on the machine) and then
other operations are done with whatever flavor was specified on the
mount command.
On Sun, Apr 2, 2023 at 7:24 PM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> Hi,
>
> I've been testing a Linxu 5.15 NFSv4.2 client against a
> FreeBSD server to test recently added SP4_MACH_CRED
> support in the FreeBSD server.
>
> I noticed the following oddity, which I thought I'd report
> in case it is considered a bug and not a feature.
> I do a mount like:
> # mount -t nfs -o nfsvers=4,sec=krb5 nfsv4-server:/ /mnt
> #
> - When looking at the packet capture during the mount,
> the ExchangeID, CreateSession and ReclaimComplete
> are done with integrity (ie. krb5i) and ExchangeID uses
> SP4_MACH_CRED.
> - Then, subsequent RPCs do not use integrity, as I would
> have assumed, given the "sec=krb5" argument.
> However, some subsequent RPCs in the must_allow ops
> list for SP4_MACH_CRED choose to use the "machine
> principal" and do krb5i.
>
> It just seems weird that it mixes krb5 and krb5i. I had
> not expected it to use SP4_MACH_CRED when
> "sec=krb5" was specified.
>
> However, it seems to work fine this way, so I can see
> the argument that this is a "feature" and not a bug.
>
> Just fyi, rick
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-03 16:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-02 23:14 sec=krb5 feature or bug?? Rick Macklem
2023-04-03 16:57 ` Olga Kornievskaia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).