IETF Logo Mail Archive

Re: [nfsv4] AUTH_GSS for Callbacks

Mike Eisler <mike@eisler.com> Wed, 29 October 2003 22:55 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA12296 for <nfsv4-archive@odin.ietf.org>; Wed, 29 Oct 2003 17:55:22 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzDT-0005mZ-V9 for nfsv4-archive@odin.ietf.org; Wed, 29 Oct 2003 17:55:04 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9TMt3fR022221 for nfsv4-archive@odin.ietf.org; Wed, 29 Oct 2003 17:55:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzDT-0005mK-Pz for nfsv4-web-archive@optimus.ietf.org; Wed, 29 Oct 2003 17:55:03 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA12256 for <nfsv4-web-archive@ietf.org>; Wed, 29 Oct 2003 17:54:51 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AEzDR-00066e-00 for nfsv4-web-archive@ietf.org; Wed, 29 Oct 2003 17:55:01 -0500
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AEzDQ-00066b-00 for nfsv4-web-archive@ietf.org; Wed, 29 Oct 2003 17:55:00 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzDS-0005l8-HC; Wed, 29 Oct 2003 17:55:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AEzCj-0005if-2D for nfsv4@optimus.ietf.org; Wed, 29 Oct 2003 17:54:17 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA12240 for <nfsv4@ietf.org>; Wed, 29 Oct 2003 17:54:04 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AEzCg-00065R-00 for nfsv4@ietf.org; Wed, 29 Oct 2003 17:54:14 -0500
Received: from [207.230.99.20] (helo=eagle.sharedhosting.net) by ietf-mx with esmtp (Exim 4.12) id 1AEzCf-00065L-00 for nfsv4@ietf.org; Wed, 29 Oct 2003 17:54:13 -0500
Received: from eisler.com (nat-198-95-226-230.netapp.com [198.95.226.230]) (authenticated bits=0) by eagle.sharedhosting.net (8.12.10/8.12.10) with ESMTP id h9TMrgJA006003 for <nfsv4@ietf.org>; Wed, 29 Oct 2003 14:54:07 -0800 (PST)
Message-ID: <3FA044F0.4080307@eisler.com>
From: Mike Eisler <mike@eisler.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: nfsv4@ietf.org
Subject: Re: [nfsv4] AUTH_GSS for Callbacks
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Wed, 29 Oct 2003 14:53:36 -0800
Date: Wed, 29 Oct 2003 14:53:36 -0800
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit


 > -----Original Message-----
 > From: rick@snowhite.cis.uoguelph.ca
 > [mailto:rick@snowhite.cis.uoguelph.ca]
 > Sent: Wednesday, October 29, 2003 2:16 PM
 > To: nfsv4@ietf.org
 > Subject: [nfsv4] AUTH_GSS for Callbacks
 >
 >
 > It's me, confused again:-)
 >
 > I've read Sec. 3.4 a couple of times and can't figure out
 > quite what the
 > server is supposed to do w.r.t. GSS authentication for Callbacks.
 >
 > The first para. seems to state that the server should use the same
 > principal the client used when doing the SetClientid. Later, it seems
 > to state that the server should use the form:

Here's an example of how it is intended to work with Kerberos V5
according to my interpretation (intent really since I contributed
that section) of 3.4.

The client uses root/<fqdn of client host> as the initiator
principal when it did SETCLIENTID. Note that RFC3530 doesn't
mandate this form at all ... think of that lack of
mandate it as a concession to the
camp of NFS client implementors that think machine creds are evil. I
suspect this means that they'll be using AUTH_NONE for SETCLIENTID, but I
digress. :-)

The target principal for SETCLIENITD is mandated to be nfs@<fqdn of server host>.

When the server does the call back, the target and initiator principals
are simply reversed. The initiator principal is nfs@<fqdn of server host>, and
the target principal is root/<fqdn of client host>.

It can't be any other way ... otherwise the server can't be
sure the client it is sending the callback to is the right client
(the one that owns the client id), and similarly, the client can't be sure
the server issuing the callback is the one that granted the delegation.



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email