LinuxLists.cc - sec=krb5 feature or bug??

2023-04-02 23:24:15

Subject: sec=krb5 feature or bug??

Hi,

I've been testing a Linxu 5.15 NFSv4.2 client against a
FreeBSD server to test recently added SP4_MACH_CRED
support in the FreeBSD server.

I noticed the following oddity, which I thought I'd report
in case it is considered a bug and not a feature.
I do a mount like:
# mount -t nfs -o nfsvers=4,sec=krb5 nfsv4-server:/ /mnt
#
- When looking at the packet capture during the mount,
the ExchangeID, CreateSession and ReclaimComplete
are done with integrity (ie. krb5i) and ExchangeID uses
SP4_MACH_CRED.
- Then, subsequent RPCs do not use integrity, as I would
have assumed, given the "sec=krb5" argument.
However, some subsequent RPCs in the must_allow ops
list for SP4_MACH_CRED choose to use the "machine
principal" and do krb5i.

It just seems weird that it mixes krb5 and krb5i. I had
not expected it to use SP4_MACH_CRED when
"sec=krb5" was specified.

However, it seems to work fine this way, so I can see
the argument that this is a "feature" and not a bug.

Just fyi, rick

2023-04-03 17:14:08

by Olga Kornievskaia

[permalink] [raw]

Subject: Re: sec=krb5 feature or bug??

Hi Rick,

That's by design (rather that's what spec says? It may be rfc 8881
2.4.3 and probably somewhere else that ops that are done with machine
creds must use the same gss flavor? ). All state operations are done
with sec=krb5i (if kerberos is configured on the machine) and then
other operations are done with whatever flavor was specified on the
mount command.

On Sun, Apr 2, 2023 at 7:24 PM Rick Macklem <[email protected]> wrote:
>
> Hi,
>
> I've been testing a Linxu 5.15 NFSv4.2 client against a
> FreeBSD server to test recently added SP4_MACH_CRED
> support in the FreeBSD server.
>
> I noticed the following oddity, which I thought I'd report
> in case it is considered a bug and not a feature.
> I do a mount like:
> # mount -t nfs -o nfsvers=4,sec=krb5 nfsv4-server:/ /mnt
> #
> - When looking at the packet capture during the mount,
> the ExchangeID, CreateSession and ReclaimComplete
> are done with integrity (ie. krb5i) and ExchangeID uses
> SP4_MACH_CRED.
> - Then, subsequent RPCs do not use integrity, as I would
> have assumed, given the "sec=krb5" argument.
> However, some subsequent RPCs in the must_allow ops
> list for SP4_MACH_CRED choose to use the "machine
> principal" and do krb5i.
>
> It just seems weird that it mixes krb5 and krb5i. I had
> not expected it to use SP4_MACH_CRED when
> "sec=krb5" was specified.
>
> However, it seems to work fine this way, so I can see
> the argument that this is a "feature" and not a bug.
>
> Just fyi, rick