IETF Logo Mail Archive

RE: [nfsv4] AUTH_GSS for Callbacks

"wurzl, mario" <wurzl_mario@emc.com> Wed, 29 October 2003 23:20 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA14408 for <nfsv4-archive@odin.ietf.org>; Wed, 29 Oct 2003 18:20:25 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzbi-0008PZ-Vk for nfsv4-archive@odin.ietf.org; Wed, 29 Oct 2003 18:20:07 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9TNK647032288 for nfsv4-archive@odin.ietf.org; Wed, 29 Oct 2003 18:20:06 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzbh-0008Od-8W for nfsv4-web-archive@optimus.ietf.org; Wed, 29 Oct 2003 18:20:05 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA14367 for <nfsv4-web-archive@ietf.org>; Wed, 29 Oct 2003 18:19:52 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AEzbe-0006p0-00 for nfsv4-web-archive@ietf.org; Wed, 29 Oct 2003 18:20:02 -0500
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AEzbd-0006ox-00 for nfsv4-web-archive@ietf.org; Wed, 29 Oct 2003 18:20:01 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzbf-0008Ne-BS; Wed, 29 Oct 2003 18:20:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzaz-0008Ki-FH for nfsv4@optimus.ietf.org; Wed, 29 Oct 2003 18:19:21 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA14271 for <nfsv4@ietf.org>; Wed, 29 Oct 2003 18:19:08 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AEzaw-0006nL-00 for nfsv4@ietf.org; Wed, 29 Oct 2003 18:19:18 -0500
Received: from mercury.lss.emc.com ([168.159.100.12] helo=mercury.eng.emc.com) by ietf-mx with esmtp (Exim 4.12) id 1AEzaw-0006mQ-00 for nfsv4@ietf.org; Wed, 29 Oct 2003 18:19:18 -0500
Received: by mercury.lss.emc.com with Internet Mail Service (5.5.2656.59) id <VNT9YR81>; Wed, 29 Oct 2003 18:18:48 -0500
Message-ID: <FA2F59D0E55B4B4892EA076FF8704F55055449BB@srgraham.eng.emc.com>
From: "wurzl, mario" <wurzl_mario@emc.com>
To: 'Mike Eisler' <mike@eisler.com>, nfsv4@ietf.org
Subject: RE: [nfsv4] AUTH_GSS for Callbacks
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Wed, 29 Oct 2003 18:18:46 -0500
Date: Wed, 29 Oct 2003 18:18:46 -0500


> -----Original Message-----
> From: nfsv4-admin@ietf.org [mailto:nfsv4-admin@ietf.org] On 
> Behalf Of Mike Eisler
> Sent: Wednesday, October 29, 2003 17:54
> To: nfsv4@ietf.org
> Subject: Re: [nfsv4] AUTH_GSS for Callbacks
> 
> 
> 
> 
>  > -----Original Message-----
>  > From: rick@snowhite.cis.uoguelph.ca
>  > [mailto:rick@snowhite.cis.uoguelph.ca]
>  > Sent: Wednesday, October 29, 2003 2:16 PM
>  > To: nfsv4@ietf.org
>  > Subject: [nfsv4] AUTH_GSS for Callbacks
>  >
>  >
>  > It's me, confused again:-)
>  >
>  > I've read Sec. 3.4 a couple of times and can't figure out
>  > quite what the
>  > server is supposed to do w.r.t. GSS authentication for 
> Callbacks.  >  > The first para. seems to state that the 
> server should use the same  > principal the client used when 
> doing the SetClientid. Later, it seems  > to state that the 
> server should use the form:
> 
> Here's an example of how it is intended to work with Kerberos 
> V5 according to my interpretation (intent really since I 
> contributed that section) of 3.4.
> 
> The client uses root/<fqdn of client host> as the initiator 
> principal when it did SETCLIENTID. Note that RFC3530 doesn't 
> mandate this form at all ... think of that lack of mandate it 
> as a concession to the camp of NFS client implementors that 
> think machine creds are evil. I suspect this means that 
> they'll be using AUTH_NONE for SETCLIENTID, but I digress. :-)
> 
> The target principal for SETCLIENITD is mandated to be 
> nfs@<fqdn of server host>.
> 
> When the server does the call back, the target and initiator 
> principals are simply reversed. The initiator principal is 
> nfs@<fqdn of server host>, and the target principal is 
> root/<fqdn of client host>.

This implies that a system administrator will have to generate keys for a
service 'root@client' and store it in the Kerberos keytab of all client
systems. I have a hard time imagining a system administrator doing this
process for a network with several thousand clients.
It may become even worse if the principal for SETCLIENTID could be any user.

> 
> It can't be any other way ... otherwise the server can't be 
> sure the client it is sending the callback to is the right 
> client (the one that owns the client id), and similarly, the 
> client can't be sure the server issuing the callback is the 
> one that granted the delegation.
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www1.ietf.org/mailman/listinfo/nfsv4
> 

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email