Return-Path: linux-nfs-owner@vger.kernel.org Received: from mx2.netapp.com ([216.240.18.37]:1204 "EHLO mx2.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757324Ab3KHOaj convert rfc822-to-8bit (ORCPT ); Fri, 8 Nov 2013 09:30:39 -0500 From: "Myklebust, Trond" To: Steve Dickson CC: Linux NFS Mailing List Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter Date: Fri, 8 Nov 2013 14:30:37 +0000 Message-ID: References: <1383851364-8370-1-git-send-email-steved@redhat.com> <1383852380.12966.5.camel@leira.trondhjem.org> <527C0548.1090205@RedHat.com> <1383860381.12966.37.camel@leira.trondhjem.org> <527C0CB6.8090308@RedHat.com> <1383863394.12966.63.camel@leira.trondhjem.org> <527CD765.1000903@RedHat.com> In-Reply-To: <527CD765.1000903@RedHat.com> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org List-ID: On Nov 8, 2013, at 7:21, Steve Dickson wrote: > > > On 07/11/13 17:29, Myklebust, Trond wrote: >>> Again, what servers, today, support this type of secure state establishment? >>>> Having this type of security in the client I think is good... but if >>>> the client is not talking with any servers that support this type >>>> of security, why not have a way to turn it off? >> I don't understand. Servers are _required_ to support RPCSEC_GSS with >> krb5 by both RFC3530 and RFC5661. AUTH_SYS is, in fact, the optional >> flavour. > Agreed... 100% of the NFSv4 server have to support RPCSEC_GSS. its mandated > by the spec(s). > >> >> The problem here is that sometimes kerberos isn't configured by the >> admin, who then expects that it shouldn't be necessary to run rpc.gssd >> or rpc.svcgssd. It is necessary because we first try the >> mandatory-to-implement and secure RPCSEC_GSS/krb5i flavour before >> falling back to the less secure AUTH_SYS... > Sometimes? Its generally not.. from my experience... > > Basically how I interpret this last paragraph, is we will be requiring > admins set up secure mounts for them to avoid the 15sec delay mount > times... aka... running a daemon that will say "no, no there is no > security here" while spewing of log messages when Kerberos is not setup... No. All we are requiring is that they run rpc.gssd. -- Trond Myklebust Linux NFS client maintainer NetApp Trond.Myklebust@netapp.com www.netapp.com