1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-24 11:29:10 +00:00
freebsd/sbin
Doug Rabson a9148abd9d Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
..
adjkerntz
atacontrol Make atacontrol(8) rebuild work when /usr is not mounted or from /rescue 2008-08-06 18:08:02 +00:00
atm Remove netatm from HEAD as it is not MPSAFE and relies on the now removed 2008-05-25 22:11:40 +00:00
badsect
bsdlabel - A call to close(2) might overwrite errno and thus give a wrong error message 2008-09-30 11:46:14 +00:00
camcontrol Add SCSI READ CAPACITY support to camcontrol. The new 'readcap' subcommand 2007-09-08 20:24:12 +00:00
ccdconfig
clri Use an intermediate pointer to avoid strict alias check warnings 2007-11-20 01:55:37 +00:00
comcontrol
conscontrol
ddb DDB scripting, textdumps, output capture, etc, all will appear in 2008-08-03 14:27:06 +00:00
devd No need to be gratuitously style(9) non-compliant here, even though 2008-03-21 20:38:28 +00:00
devfs Support for filtering on major device number was removed in rev. 1.7 or 2008-06-27 09:09:50 +00:00
dhclient Support the remaining options listed in dhcp-options(5) and RFC 2132. 2008-10-17 13:28:53 +00:00
dmesg
dump Expand dump to allow MAX_INT dump levels. 2008-05-24 05:20:46 +00:00
dumpfs Replace incomprehensive description of -m by much clearer text from OpenBSD, 2007-05-12 22:35:22 +00:00
dumpon
fdisk - Improve error message given on g_providername call failure. 2008-09-30 07:18:49 +00:00
fdisk_pc98 Another merging from sbin/fdisk/fdisk.8. 2007-05-10 12:33:00 +00:00
ffsinfo Don't coredump when executed with -o. 2008-01-29 00:20:00 +00:00
fsck
fsck_ffs Background fsck applies twice some summary totals changes. The next 2008-10-13 14:01:05 +00:00
fsck_msdosfs Spot two more bugs WRT adherence to the local prompt style. 2008-01-31 13:22:13 +00:00
fsdb
fsirand
gbde Remove temporary files when there are no longer needed. 2007-04-06 11:16:11 +00:00
geom Add support for multiple attributes. This is required for the 2008-10-20 05:12:50 +00:00
ggate The signature for a pthread function requires that it 2008-06-26 07:05:35 +00:00
growfs Fix an int overflow on very large file systems. 2007-12-17 08:03:18 +00:00
gvinum
idmapd
ifconfig Tiny wording nits. 2008-10-19 09:45:29 +00:00
init Static-ify procedures in init(8). 2008-09-27 00:09:10 +00:00
ipf This makefile builds contrib code, so I won't try to fix all the 2007-11-18 03:29:10 +00:00
ipfw o Remove a debug code and restore an accidentally deleted code 2008-10-14 17:59:39 +00:00
iscontrol Fix typo. 2008-02-06 08:03:27 +00:00
kldconfig
kldload Mark up lkm with .Nm, since lkm is name of an api. 2007-02-13 17:06:15 +00:00
kldstat Add the full module path name to the kld_file_stat structure 2007-10-22 04:12:57 +00:00
kldunload Mark up lkm with .Nm, since lkm is name of an api. 2007-02-13 17:06:15 +00:00
ldconfig Remove unused reference to objformat.h 2007-01-25 22:38:58 +00:00
mca
md5 Bring a paragraph in this manual page a bit closer to the present date. 2008-09-07 15:19:34 +00:00
mdconfig Add -v (verbose) option to -l command, to show size and backing store 2008-06-21 15:04:42 +00:00
mdmfs -n is used by newfs to tell "do not generate a .snap directory" instead of 2007-05-14 19:23:13 +00:00
mknod In the previous changeset a cast of myminor to u_int were 2007-06-14 03:16:16 +00:00
mksnap_ffs Note that snapshots may cause a panic on the full UFS filesystem. 2008-07-26 13:18:33 +00:00
mount Don't return always 0. Return what we get from exec_mountprog or 2008-08-31 20:08:05 +00:00
mount_autofs
mount_cd9660
mount_ext2fs Convert mount_ext2fs to a simple program which passes "-o option" to nmount(). 2007-01-28 00:51:01 +00:00
mount_hpfs
mount_msdosfs Pass "errmsg" to nmount(), so that if nmount() fails, we can get 2007-01-29 01:49:08 +00:00
mount_nfs Implement support for RPCSEC_GSS authentication to both the NFS client 2008-11-03 10:38:00 +00:00
mount_ntfs o Fix Dd format. 2007-11-18 09:18:20 +00:00
mount_nullfs
mount_reiserfs
mount_std
mount_udf
mount_unionfs Added whiteout behavior option. ``-o whiteout=always'' is default mode 2007-10-14 13:55:38 +00:00
natd Check rule numbers against maximum value to avoid rules cleanup due 2008-09-06 17:26:52 +00:00
newfs Replace reference from vinum.8 to gvinum.8, it was advised in the PR to 2008-03-21 20:16:25 +00:00
newfs_msdos Be more accurate in the maximum filesize, it's 4GB not 4.3GB. 2007-12-09 13:34:10 +00:00
nfsiod
nos-tun
pfctl Link pf 4.1 to the build: 2007-07-03 12:46:08 +00:00
pflogd
ping Commit IPv6 support for FAST_IPSEC to the tree. 2007-07-01 12:08:08 +00:00
ping6 Implement -R support, similar to ping(8)'s -A. 2008-08-27 15:01:23 +00:00
quotacheck Drag this code kicking and screaming into the twenty-first century. 2008-07-02 15:51:59 +00:00
rcorder Document the misleading nature of the REQUIRE line. The patch in 2008-06-09 09:07:58 +00:00
reboot - Sweep the boot(8) man page after addition of boot.config(5). 2007-08-18 07:58:36 +00:00
recoverdisk Improve reporting in recoverdisk a good deal. 2007-04-23 12:17:27 +00:00
restore Fix nits pointed out in PR bin/39905 that have not already been 2008-05-23 19:17:08 +00:00
route Fix printing of sockaddr prefixes in verbose mode. 2008-04-10 12:16:20 +00:00
routed Update routed to use the RFC 3678 protocol-independent multicast API. Use 2008-07-30 11:56:15 +00:00
rtsol
savecore Compare kernel dump header magic with textdump magic using strncmp() 2007-12-27 21:28:48 +00:00
sconfig Do not set IFF_DEBUG directly from the driver. 2008-06-30 21:18:27 +00:00
setkey o Add missed dot. 2008-09-29 05:31:27 +00:00
shutdown
slattach
spppcontrol Use a cast that doesn't create a compiler warning. 2007-11-18 00:33:23 +00:00
startslip
sunlabel
swapon Add a -q flag to swapon(8) to suppress informational messages. Use it in 2008-06-23 22:17:08 +00:00
sysctl The sysctl(8) program exits on some errors and only emits warnings on 2008-06-23 22:06:28 +00:00
tunefs o s/filesystem/file system/g. 2007-09-23 16:06:37 +00:00
umount
Makefile add new build knobs and jigger some existing controls to improve 2008-09-21 22:02:26 +00:00
Makefile.inc