Return-Path: linux-nfs-owner@vger.kernel.org Received: from mx1.redhat.com ([209.132.183.28]:37942 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932221Ab3KHPHI (ORCPT ); Fri, 8 Nov 2013 10:07:08 -0500 Message-ID: <527CFE57.9030106@RedHat.com> Date: Fri, 08 Nov 2013 10:08:07 -0500 From: Steve Dickson MIME-Version: 1.0 To: "Myklebust, Trond" CC: Linux NFS Mailing List Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter References: <1383851364-8370-1-git-send-email-steved@redhat.com> <1383852380.12966.5.camel@leira.trondhjem.org> <527C0548.1090205@RedHat.com> <1383860381.12966.37.camel@leira.trondhjem.org> <527C0CB6.8090308@RedHat.com> <1383863394.12966.63.camel@leira.trondhjem.org> <527CD765.1000903@RedHat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-nfs-owner@vger.kernel.org List-ID: On 08/11/13 09:30, Myklebust, Trond wrote: > > On Nov 8, 2013, at 7:21, Steve Dickson wrote: > >> >> >> On 07/11/13 17:29, Myklebust, Trond wrote: >>>> Again, what servers, today, support this type of secure state establishment? >>>>> Having this type of security in the client I think is good... but if >>>>> the client is not talking with any servers that support this type >>>>> of security, why not have a way to turn it off? >>> I don't understand. Servers are _required_ to support RPCSEC_GSS with >>> krb5 by both RFC3530 and RFC5661. AUTH_SYS is, in fact, the optional >>> flavour. >> Agreed... 100% of the NFSv4 server have to support RPCSEC_GSS. its mandated >> by the spec(s). >> >>> >>> The problem here is that sometimes kerberos isn't configured by the >>> admin, who then expects that it shouldn't be necessary to run rpc.gssd >>> or rpc.svcgssd. It is necessary because we first try the >>> mandatory-to-implement and secure RPCSEC_GSS/krb5i flavour before >>> falling back to the less secure AUTH_SYS... >> Sometimes? Its generally not.. from my experience... >> >> Basically how I interpret this last paragraph, is we will be requiring >> admins set up secure mounts for them to avoid the 15sec delay mount >> times... aka... running a daemon that will say "no, no there is no >> security here" while spewing of log messages when Kerberos is not setup... > > No. All we are requiring is that they run rpc.gssd. Even when they do not want any secure mounts at all? What is that justification? steved.