Re: [nfsv4] Path forward for flex-files

Benjamin Kaduk <kaduk@mit.edu> Mon, 07 August 2017 23:11 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE7012942F for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 16:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTRQH8Iob5NJ for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 16:11:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303FE1243F6 for <nfsv4@ietf.org>; Mon, 7 Aug 2017 16:11:55 -0700 (PDT)
X-AuditID: 1209190d-f4fff7000000277e-63-5988f3ba6d37
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 62.4C.10110.AB3F8895; Mon, 7 Aug 2017 19:11:54 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v77NBrFg007930; Mon, 7 Aug 2017 19:11:53 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v77NBnDR017319 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Aug 2017 19:11:51 -0400
Date: Mon, 07 Aug 2017 18:11:49 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: Olga Kornievskaia <aglo@citi.umich.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Message-ID: <20170807231149.GJ70977@kduck.kaduk.org>
References: <YTXPR01MB0189BCC08195A19BB0745A85DDB40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <CAN-5tyECYtjkqWCy1a_Ri=ada_FxVi+8VOw9dU3_gKQSifJ5cg@mail.gmail.com> <YTXPR01MB0189B99A94C908E12AA74478DDB50@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YTXPR01MB0189B99A94C908E12AA74478DDB50@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHIsWRmVeSWpSXmKPExsUixCmqrLvrc0ekwaapmhZrHz1lt1i+Zyu7 xez3j1gtHi67xuTA4rGmtZPFY8mSn0we8+fKefzevJcpgCWKyyYlNSezLLVI3y6BK6NxyUyW gqcCFb0fN7E3MD7h7WLk4JAQMJH490u8i5GLQ0hgMZPEmSuX2SGcDYwSRx8sYYRwrjBJbNk8 C8jh5GARUJHY8P8aE4jNBmQ3dF9mBrFFBNQlNq/uB7OZBeol3n1oYAexhQUMJPYd388GYvMC bbv8aA3Uhm+MEu2HfrBDJAQlTs58wgLRrCVx499LJpDzmAWkJZb/4wAJcwrEShzd/BpsjqiA ssS8favYJjAKzELSPQtJ9yyE7gWMzKsYZVNyq3RzEzNzilOTdYuTE/PyUot0jfRyM0v0UlNK NzGCg1mSdwfjv7tehxgFOBiVeHgZMjsihVgTy4orcw8xSnIwKYnycm4BCvEl5adUZiQWZ8QX leakFh9ilOBgVhLhDfsIlONNSaysSi3Kh0lJc7AoifOKazRGCAmkJ5akZqemFqQWwWRlODiU JHgvfAJqFCxKTU+tSMvMKUFIM3FwggznARreDlLDW1yQmFucmQ6RP8WoKCXOKw+SEABJZJTm wfWCko1E9v6aV4ziQK8I8y4HqeIBJiq47ldAg5mABr9JbAUZXJKIkJJqYFw5b47Yn/ACVRP3 n6p/pSVWLSyImd6/7H7kl6kHlMPy73GL9fG6Mym898hawtY8Y0qZZ7/+52cmHcxe0+edecRy YPLLKust6SIcD8L4XVTyWDtyfRc+iLU5fkz4wHxFq+xtLEf6/CxXZO9XDFr80qSj3jNsrrn1 vI5PiZOm77nw+ZltqsnuM0osxRmJhlrMRcWJAPgrUbQRAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/M_sD6JE4ywAOyNwtzDCTCB7tcdA>
Subject: Re: [nfsv4] Path forward for flex-files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 23:11:58 -0000

On Mon, Aug 07, 2017 at 07:19:10PM +0000, Rick Macklem wrote:
> Olga Kornievskaia wrote:
> 
> > dot-x defs: https://www.rfc-editor.org/rfc/rfc7531.txt
> >
> >   typedef utf8str_mixed   fattr4_owner;
> >   typedef utf8str_mixed   fattr4_owner_group;
> Oh well. I've never looked at that RFC.
> The draft could just be changed to define the ffds_user and ffds_group as opaque<>
> instead of utf8str_mixed? (I don't think this would affect extant implementations,
> which will just assume a utf string is in there and can't handle/support Kerberos.)
> [stuff snipped]
> > That's the problem you need something in the structure to pass back
> > the ticket (TGT is not necessary. service ticket would do). Besides
> > the ticket you need to send the other pieces.
> Well, maybe a service ticket would work, but it would require a lot more "hacking"
> on the RPCSEC_GSS code, I think?
> - During initialization, the RPCSEC_GSS l;ayer normally calls
>   gss_init_sec_context(). In the vanilla Heimdal libraries, this works if there
>   are valid credentials in the credential cache and those come from the TGT.
>   (I'll admit my Kerberos is rusty. If you can easily get gss_init_sec_context() to work
>    with a service ticket, then I believe you. Also, I've never worked with the MIT libraries.)

No hacking needed; it works out of the box.

kaduk@prolepsis:~$ kinit -l5m -r5m -S host/rosebud2.mit.edu kaduk/root
Password for kaduk/root@ATHENA.MIT.EDU: 
SAM Authentication
Challenge from authentication server
Duo login: Passcode/option or press return for options: 
kaduk@prolepsis:~$ ssh -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=no root@rosebud2.mit.edu
Linux rosebud2 3.2.0-4-amd64 #1 SMP Debian 3.2.81-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  6 08:57:20 2017 from vpn-18-101-71-85.mit.edu
root@rosebud2:~# 


-Ben