How to use NFS with multiple principals in different realms?

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Tue Sep 9 22:18:13 EDT 2014 

> Per Oracle support this is not quite correct: if you have multiple tickets in a
> DIR: then the NFS client is either required to negotiate with the server (RFC
> 3530) or try the credentials in order until one works.

"negotiate" appears to mean select a security mechanism, such as Kerberos vs. something else. Is there actually an "intra-mechanism" requirement?

> Still it has to try all options, i.e. negotiate. This is what the reference
> implementation for NFS (Solaris) does.


What are "all the options"? It could try nfs/fqdn at REALM for each REALM present in your ticket cache. It could maintain a separate list of realms not in your cache to be tried. It could let the user specify a principal to try. This has nothing to do with client/server communication and more with probing the Kerberos trust network to see if there is a path to walk from one of the credentials in your cache to one of the potential service principals.

I think what you're saying is that after the negotiation has settled on Kerberos, you want more aggressive probing.

Alternatively, in lieu of aggressive probing (which would yield shared Kerberos user principal trustable by both client and server), you want the id mapper on the NFS client and on the NFS server to map the same NFS id to different Kerberos principals. And then the client system should also know what Kerberos principal the server system has mapped to the relevant NFS ID (server-wide? For a particular mount point?). And both client-recognized and server-recognized Kerberos principals must be in the user's cache. And trust that the two principals are the same ultimately stems from the fact that they're in the same user's Kerberos cache, which is presumably under the control of one human. But I think there still has to be a trust path from NFS client to NFS server. Or no?

Do NFS ID mappers talk to one another?  How would they negotiate? I think I need a picture to nail down all the moving parts.

Bryce





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Kerberos mailing list