Re: [nfsv4] Path forward for flex-files
Rick Macklem <rmacklem@uoguelph.ca> Tue, 08 August 2017 13:04 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64210132324 for <nfsv4@ietfa.amsl.com>; Tue, 8 Aug 2017 06:04:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4uRWPSp3Rxmy for <nfsv4@ietfa.amsl.com>; Tue, 8 Aug 2017 06:04:30 -0700 (PDT)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670054.outbound.protection.outlook.com [40.107.67.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FAE13232B for <nfsv4@ietf.org>; Tue, 8 Aug 2017 06:04:30 -0700 (PDT)
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM (10.165.218.133) by YTXPR01MB0191.CANPRD01.PROD.OUTLOOK.COM (10.165.218.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Tue, 8 Aug 2017 13:04:28 +0000
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) by YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) with mapi id 15.01.1320.018; Tue, 8 Aug 2017 13:04:28 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Thread-Topic: [nfsv4] Path forward for flex-files
Thread-Index: AQHTD9CmyDK3wnPfo0qo8KfOQeaI76J5imGAgAALT0iAAARyAIAA0gBE
Date: Tue, 08 Aug 2017 13:04:28 +0000
Message-ID: <YTXPR01MB018964B02D2334204302FC4ADD8A0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
References: <YTXPR01MB01898B5A88D647118989E5CEDDB50@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <20170807232925.GK70977@kduck.kaduk.org> <YTXPR01MB018927D36EFE43FBC06A136ADD8A0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>, <20170808002548.GO70977@kduck.kaduk.org>
In-Reply-To: <20170808002548.GO70977@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca;
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; YTXPR01MB0191; 6:Rv+XO85idvIrpk9HliVc2Og7lIhYFx7r1vqPEhRKpkugk/ztn+pe1IPF15osGbklPlKHFQwNsufoxvm5uAJC7+iLUcp+fM/ZCrJaSGDfzUiNm5UUDGjxBevdVQ5QFaP1hLX2SsUaZn3VNZbvTd70Yips8ztR42Qqj25FCFmI597PoeYXq1cIiZR2ZbIzG10xlM4uyhwr+vO/oqw6/rD0hcqM55CoSYWhckE1khLwW3LbnVRCwAr/VgWber81AHNfoPakDUM/YAgAPBM2YeR+UKxgZQRl+9NlfuC8bppO+IaF1w9L68zRZt+qCkIeB003Z0WXRrXPEEvUGsy7+4Rdew==; 5:nFfvWt3XukO03lm7uuQWyqu4NiZLC1zzPH2eL5apmqsf42BVYzokHeD9WRjq1eKcLlnr0bL5hnN/LsTCX9jiOgvN5YwaE1Kr25n3nB7Gjl9kPAq1GvasQ3sZlbIBZQ0l8r4+jQLiENJRAMylL5E1Pg==; 24:7Hxfo6GemRF0TYE7NPGu1NlPUoB4jPvKaETnrxdnVbqX7CvEgJ8gcxSwO8NgxCGf8t1xMYWInzk2khTXzniJjVHCpP+snNPa0Jxj7Gxsz7c=; 7:pgzhnEYXQqBpNB8obGyHZTbbaulOsdMVYHRP4JwBtO4jgbwm395HkSvNG89UMibp18HHCyQBeryb79J4l18UZJkb56vi3VdFAV9h+I7e6EfQOpoxngBgc0aWGZxdbF2Gwy44sA3tA0SICr2DpWV56IMgfecUQXbhpxfID6d4xJCLf2xPi3XTyy7kKubTyypBBtk5od6D8mN7KGdKpGMyq/dDAinXIAfhWVM70iIYohw=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 16ac123e-835a-4137-39cf-08d4de5e0095
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:YTXPR01MB0191;
x-ms-traffictypediagnostic: YTXPR01MB0191:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-microsoft-antispam-prvs: <YTXPR01MB01915DB8CDC851DDBD6A9983DD8A0@YTXPR01MB0191.CANPRD01.PROD.OUTLOOK.COM>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(6041248)(20161123564025)(20161123558100)(20161123555025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:YTXPR01MB0191; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:YTXPR01MB0191;
x-forefront-prvs: 03932714EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39410400002)(39400400002)(39850400002)(39840400002)(199003)(51914003)(189002)(24454002)(54906002)(55016002)(74482002)(4326008)(6436002)(9686003)(106356001)(105586002)(33656002)(478600001)(102836003)(5660300001)(68736007)(53936002)(38730400002)(110136004)(6506006)(6246003)(14454004)(3660700001)(97736004)(86362001)(2900100001)(8936002)(101416001)(3280700002)(77096006)(305945005)(6916009)(54356999)(8676002)(50986999)(76176999)(2171002)(229853002)(25786009)(93886004)(7696004)(74316002)(189998001)(81166006)(2906002)(81156014)(2950100002); DIR:OUT; SFP:1101; SCL:1; SRVR:YTXPR01MB0191; H:YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2017 13:04:28.3373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTXPR01MB0191
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/hRnjHoh1SJDlbBh5_k-OWxrbu-I>
Subject: Re: [nfsv4] Path forward for flex-files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 13:04:33 -0000
Benjamin Kaduk wrote: >On Tue, Aug 08, 2017 at 12:20:26AM +0000, Rick Macklem wrote: >> Benjamin Kaduk wrote: >> [stuff snipped] >> > The solution space looks rather different whether the synthetic principals >> > are actually being created/deleted on the KDC or synthesized using the >> > data server's keytab. >> I'm not sure what you are thinking of w.r.t. synthesized using the data server's keytab, >> but I am curious? > >A service ticket is "just" some DER-encoded data encrypted+MAC'd in a symmetric >key shared between the KDC and the service principal (in the simple case). >When the service application receives a service ticket along with the client's >request, the service knows that the ticket came from the KDC because the >MAC verifies, generating/verifying the MAC requires that symmetric shared >key, and the service knows that it didn't generate the ticket itself. >Note the logical leap at the end -- it's assumed from the KDC because the >KDC is the only other party that's supposed to have the key material. >But really, anyone with the right key can encode the right data and encrypt+MAC >it using that key -- this allows one to print a ticket to onesself that >claims to be for a client principal that does not even exist in the >KDC's database. > >We use this "ticket printing" technique in AFS for server-to-server >communications, and it's exposed to some maintenance tools as well. Ok, so a simple way of doing this would be to... - Create the synthetic principals on the KDC and acquire keytab entries for them. - Move the keytab entries to a file in the MDS. Then the MDS could generate a service ticket for the synthetic principal by acquiring a TGT for the synthetic principal and then letting gss_init_sec_context() do the rest? (I think you can also do this for the principal "root@MYREALM" and the MDS can use that to gain "root" access to the DS for at least some Kerberized NFS servers. I believe I did this "root" trick in FreeBSD and it worked, although I wouldn't recommend it from a security point of view.) Thanks for the info, rick
- [nfsv4] Path forward for flex-files David Noveck
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Olga Kornievskaia
- Re: [nfsv4] Path forward for flex-files Thomas Haynes
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem