[14646] in Kerberos
Re: Kerberized NFS Linux client?
daemon@ATHENA.MIT.EDU (Rainer Orth)
Tue Jul 10 13:48:22 2001
To: <rk21@gre.ac.uk>
Cc: kerberos@MIT.EDU
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
From: Rainer Orth <ro@TechFak.Uni-Bielefeld.DE>
Date: 10 Jul 2001 19:46:17 +0200
In-Reply-To: <rk21@gre.ac.uk>'s message of "Tue, 10 Jul 2001 17:23:43 +0100"
Message-ID: <yddk81g4qza.fsf@xayide.TechFak.Uni-Bielefeld.DE>
<rk21@gre.ac.uk> writes:
> I understand that Solaris Kerberised NFS uses RPSEC_GSS, and this doesn't
> seem to be supported on the Linux version I have (Red Hat 7.1, Kernel
> version 2.4).
Right, see e.g. RFC 2623: NFS Version 2 and Version 3 Security Issues and
the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5. To the best of my
knowlege, right now Sun is the only vendor that implements this (both
client and server side), starting with Solaris 2.6. I'd be very happy to
learn otherwise, though.
> Does anyone know if there is a Kerberized NFS client available for Linux
> which would enable this to work?
Not for NFS V2/V3. The NFS V4 Open Source Reference Implementation (for
Linux 2.4 and OpenBSD)
http://www.citi.umich.edu/projects/nfsv4/index.html
includes that support (both client and server side), but that seems to be
far from production quality, especially since the IETF's NFS V4 WG is still
hashing out problems with the NFS V4 specification. There's also an alpha
implementation for Solaris 7 (may be available for Solaris 8 right now),
but still nothing widespread and ready for production use.
> Alternatively, would a possible/better solution be to install MIT Kerberos
> 5 in preference to SEAM on the Solaris server?
That wouldn't help at all, since the RPCSEC_GSS NFS support would still be
missing. One might be able to take the CITI NFS V4 implementation, Sun's
TI-RPC SRC 99 (both user-mode and kernel RPCSEC_GSS, though without the
Kerberos V5 modules) and MIT Kerberos V5 and hack something togethers that
works for NFS V2/V3, but I'm not aware that anyone has started working on
this.
Rainer
--
-----------------------------------------------------------------------------
Rainer Orth, Faculty of Technology, Bielefeld University
Email: ro@TechFak.Uni-Bielefeld.DE
