d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
92ad2cd779
freebsd-nq/usr.sbin
History
Doug Rabson a9148abd9d Implement support for RPCSEC_GSS authentication to both the NFS client 
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
..
ac
accton
acpi Update to reflect reality: 2008-05-20 12:07:02 +00:00
adduser The original adduser/rmuser scripts in Perl used to modify the PATH 2008-07-30 18:37:21 +00:00
amd Don't always link statically with libwrap. By the time amd(8) 2008-03-29 18:13:15 +00:00
ancontrol Remove duplicate headers <sys/socket.h> 2008-04-21 07:25:26 +00:00
apm
apmd getopt(3) returns -1, not EOF when out of args. 2007-02-05 07:35:23 +00:00
arp Spell "blackhole" correctly and fix one grammar nit. 2008-03-24 22:57:55 +00:00
asf Make grammar a bit more consistent in this document. 2006-12-20 06:21:51 +00:00
audit Enable building of OpenBSM command line tools: 2006-02-02 10:15:30 +00:00
auditd Enable building of OpenBSM command line tools: 2006-02-02 10:15:30 +00:00
auditreduce auditreduce now requires OpenBSM's config/config.h, so add that to the 2006-09-25 11:56:20 +00:00
authpf Do not bypass WARNS machinery by hadcoding -Werror into CFLAGS. 2006-09-21 18:16:22 +00:00
bluetooth Add mandatory "security description" SDP parameter to the PANU profile 2008-03-19 00:06:30 +00:00
boot0cfg - Improve error message given on g_providername call failure. 2008-09-30 07:18:49 +00:00
boot98cfg Correct typo in usage message. 2007-12-19 03:31:44 +00:00
bootparamd Remove a useless cast. 2008-08-02 00:10:02 +00:00
bsnmpd Only build the bsnmpd netgraph module if MK_NETGRAPH_SUPPORT is set. 2008-10-02 14:26:56 +00:00
btxld Allow for a zero length 'loader'. 2008-04-05 10:26:20 +00:00
burncd
cdcontrol - Enhance volume handling 2008-07-14 13:22:09 +00:00
chkgrp
chown
chroot
ckdist Fix markup and change some layout; no content changes. 2006-12-27 13:52:57 +00:00
clear_locks Add missing library dependency. 2008-03-29 18:07:06 +00:00
config Allow kernel config files to include files other than those in the CWD, 2008-07-28 17:11:57 +00:00
cpucontrol - Fix error reporting. 2008-08-12 09:47:50 +00:00
crashinfo Add a script to perform simple analysis of a crash dump (either a full 2008-08-05 20:41:46 +00:00
cron Fix empty mailto (-m "") handling: somehow I missed all checks but the first, 2008-08-01 08:01:33 +00:00
crunch Introduce crunchide to the ELF e_machine MIPS values. 2008-09-03 16:21:28 +00:00
ctm
cxgbtool - Fix regression with GETMEM 2008-09-10 01:10:17 +00:00
daemon Unbreak rev 1.7's getopt usage. The -f switch does not take an argument. 2007-04-19 16:43:30 +00:00
dconschat Set the default escape character as described in the manpage of dconschat(8). 2007-07-12 13:08:00 +00:00
devinfo Bump up the limit for when to print the resources for a given resource 2007-10-27 13:06:15 +00:00
digictl
diskinfo Print provider's ident when in verbose mode. 2007-05-06 00:25:21 +00:00
dnssec-keygen Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
dnssec-signzone Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
editmap
edquota Drag this code kicking and screaming into the twenty-first century. 2008-07-02 15:51:59 +00:00
eeprom Flush my typo fix queue for this directory. 2006-12-05 23:20:14 +00:00
extattr Invoke err() with a format string rather than directly with a passed 2008-07-15 16:07:34 +00:00
extattrctl
faithd Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
fdcontrol Force the use of the tbl(1) preprocessor. 2006-10-25 10:44:59 +00:00
fdformat Fix a nit noticed during translation. 2007-02-28 10:24:34 +00:00
fdread Remove unused variables. 2006-07-20 09:38:46 +00:00
fdwrite
fifolog Populate usage() 2008-05-14 23:29:02 +00:00
flowctl
freebsd-update In freebsd-update IDS, strip out file flags before we look for 2008-08-08 04:34:00 +00:00
ftp-proxy Link pf 4.1 to the build: 2007-07-03 12:46:08 +00:00
fwcontrol Sweep this man page a bit: 2008-09-11 22:11:41 +00:00
getfmac
getpmac
gssd Implement support for RPCSEC_GSS authentication to both the NFS client 2008-11-03 10:38:00 +00:00
gstat - Allow gstat to print values to different kind of outputs. 2008-10-07 10:25:27 +00:00
ifmcstat mdoc fix: Add missing .El request 2007-10-30 16:04:23 +00:00
inetd o inetd(8) requires wait/nowait column in inetd.conf for 2008-01-12 21:09:48 +00:00
iostat Fix the device name spacing. 2008-09-11 09:55:54 +00:00
ip6addrctl Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
ipfwpcap Add a signal handler for SIGINT to make sure that the PID file 2007-10-12 14:57:39 +00:00
IPXrouted Use printf formats which match the variable types without casts so we 2007-11-17 23:09:39 +00:00
jail Bump date. 2007-04-05 21:17:52 +00:00
jexec Fix some bugs/complaints: 2008-05-29 17:00:01 +00:00
jls
kbdcontrol Some clarifications to make keyboard configuration under syscons. 2008-01-29 18:28:50 +00:00
kbdmap Output keymap choice to stderr so it is easier to parse for apps chained to 2007-08-27 21:56:42 +00:00
kernbb
keyserv Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
kgmon Correct a typo 2006-06-29 09:18:16 +00:00
kgzip
kldxref These are the things that the tinderbox has problems with because it 2007-11-20 02:07:30 +00:00
lastlogin
lmcconfig Style. 2006-09-01 09:24:28 +00:00
lpr use bigger local variable to calculate free space 2008-09-01 12:32:40 +00:00
lptcontrol
mailstats
mailwrapper Markup fixes. 2006-09-29 17:57:04 +00:00
makemap
manctl
memcontrol
mergemaster Document the AUTO_UPGRADE (-U) knob for .mergemasterrc 2008-06-11 18:54:06 +00:00
mixer mixer(8) is WARNS=6 clean since 1.25. 2008-03-16 08:06:36 +00:00
mld6query These IPv6-only tools have no explicit dependency on the INET6 macro. 2006-07-27 15:31:13 +00:00
mlxcontrol Make mlxcontrol work with more than one system drive: 2008-09-12 17:40:17 +00:00
mount_nwfs Use sysctlbyname() instead of sysctl 2006-05-11 17:23:57 +00:00
mount_portalfs Decrease to WARNS=3. 2007-01-20 23:24:11 +00:00
mount_smbfs Convert mount_smbfs to use nmount(). 2005-11-16 02:47:12 +00:00
mountd Implement support for RPCSEC_GSS authentication to both the NFS client 2008-11-03 10:38:00 +00:00
moused Improve the virtual scrolling mechanism to make middle clicking less 2008-05-15 15:05:02 +00:00
mptable
mtest Import rewrite of IPv4 socket multicast layer to support source-specific 2007-06-12 16:24:56 +00:00
mtree Add the mtree.5 manpage. I'll come back soon and 2008-01-01 06:15:57 +00:00
named Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
named-checkconf Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
named-checkzone Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
named.reload
ndiscvt remove reference for unexisting ndisapi(9) 2008-07-23 05:50:17 +00:00
ndp Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
newsyslog Fix 6-year old cut&paste error. The # could be escaped with '\', not 2008-06-26 07:02:47 +00:00
nfsd Implement support for RPCSEC_GSS authentication to both the NFS client 2008-11-03 10:38:00 +00:00
ngctl Modify the DoParseCommand() to work on (const char *) instead of just 2008-06-28 12:31:30 +00:00
nghook
nologin Update nologin(5) to match the modern reality of login.conf(5) and PAM. 2007-05-10 11:22:24 +00:00
nscd Slightly adjust code logic: we allocate a "size"ed length of memory, not 2008-10-23 00:31:15 +00:00
ntp Makefile.inc already defines OPENSSL if crypto is available/wanted. 2008-09-11 20:32:06 +00:00
nvram Revise markup. 2006-09-30 19:07:03 +00:00
ofwdump De-sparc64-ify (now that it's also installed on PowerPC). 2008-01-31 14:58:55 +00:00
pccard Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
pciconf Add HDA multimedia subclass. 2008-10-21 21:55:38 +00:00
periodic - The weekly periodic runs occur on Saturday mornings, not on Sunday mornings 2007-09-07 21:54:45 +00:00
pkg_install Display usage when pkg_add is called with no arguments. 2008-10-17 15:10:45 +00:00
pmccontrol Fix pmccontrol(8) on Intel Xeon's running in 64 bit mode. 2006-02-27 14:25:32 +00:00
pmcstat - Avoid a spurious error when a command line is specified without 2008-10-07 17:28:52 +00:00
pnpinfo Remove alpha left-overs. 2006-08-22 08:03:01 +00:00
portsnap - remove superfluous word 2008-09-15 16:30:06 +00:00
powerd Add an abbreviation for adaptive mode, and document all the abreviations. 2008-06-22 17:52:57 +00:00
ppp Make ppp use <termios.h>, not <sys/tty.h>. 2008-06-05 17:46:32 +00:00
pppctl
pppd Add missing <stdlib.h> for exit() 2007-11-07 10:57:35 +00:00
pppstats Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
praliases
praudit Enable building of OpenBSM command line tools: 2006-02-02 10:15:30 +00:00
procctl
pstat Clamp the values of t_column to 5 digits in pstat -t' and show all ttys'. 2008-11-01 13:40:46 +00:00
pw Use arc4random_uniform() to avoid "modulo bias" 2008-08-16 15:41:03 +00:00
pwd_mkdb
quot Make `quot -a' work when we've got slashes in the device name. 2008-09-14 11:50:19 +00:00
quotaon Drag this code kicking and screaming into the twenty-first century. 2008-07-02 15:51:59 +00:00
rarpd
raycontrol
repquota Drag this code kicking and screaming into the twenty-first century. 2008-07-02 15:51:59 +00:00
rip6query Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
rmt
rndc Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
rndc-confgen Update bmake glue for the BIND 9.4.1 import. 2007-06-02 23:19:58 +00:00
route6d Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
rpc.lockd Re-implement the client side of rpc.lockd in the kernel. This implementation 2008-06-26 10:21:54 +00:00
rpc.statd Re-implement the client side of rpc.lockd in the kernel. This implementation 2008-06-26 10:21:54 +00:00
rpc.umntall
rpc.yppasswdd - Whenever a password/shell is changed via rpc.yppasswdd, the daemon leaves 2008-10-30 01:54:31 +00:00
rpc.ypupdated Kill blank line at EOF. 2007-02-15 02:45:14 +00:00
rpc.ypxfrd o There is no securenets(5) man page, refer to ypserv(8). 2006-11-02 07:36:33 +00:00
rpcbind No network addresses in the system isn't a good excuse 2008-02-14 20:12:23 +00:00
rrenumd Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
rtadvd Change 2 arc4random modulo operations to arc4random_uniform() as 2008-07-26 15:39:32 +00:00
rtprio
rtsold Change arc4random to arc4random_uniform since modulo is not power of 2, 2008-07-26 15:46:39 +00:00
rwhod
sa Ensure that the -s flag truncates the accounting data. 2008-02-21 07:12:56 +00:00
sade Move sysinstall/sade away from TIOCGSIZE. 2008-05-23 14:24:33 +00:00
sendmail This FFR is no longer needed in sendmail 8.14 2007-04-09 01:45:52 +00:00
setfib - Use static for usage() 2008-10-17 21:11:09 +00:00
setfmac An average consumer of fts(3) that avoids keeping pointers to old 2008-01-29 17:50:29 +00:00
setpmac
sicontrol Remove sicontrol(8)'s "ttystat". 2008-06-09 08:43:27 +00:00
sliplogin
slstat Correct xref to systat(1) which was mispelled as ststat(1) in 1.5. 2005-11-29 16:33:44 +00:00
smbmsg Force the use of the tbl(1) preprocessor. 2006-10-25 10:44:59 +00:00
snapinfo Imagine a situation where: 2007-03-16 12:36:54 +00:00
spkrtest
spray
sysinstall Turns out its not a good idea to assume the packages that might be 2008-10-22 20:32:19 +00:00
syslogd Add a flag, -T, that tells syslogd to always replace the timestamp on 2008-09-25 09:28:18 +00:00
tcpdchk Reimplementation of world/kernel build options. For details, see: 2006-03-17 18:54:44 +00:00
tcpdmatch Reimplementation of world/kernel build options. For details, see: 2006-03-17 18:54:44 +00:00
tcpdrop Normalize usage output. 2007-10-31 13:49:20 +00:00
tcpdump Update for tcpdump 3.9.8 2007-10-16 02:32:44 +00:00
timed Remove spurious duplicated defination of sock. 2008-09-24 00:04:51 +00:00
traceroute Add AS lookup functionality. On each hop we query a whois server to 2008-02-20 23:29:53 +00:00
traceroute6 Give traceroute6 the ability to traceroute with packets with no 2008-02-10 21:06:38 +00:00
trpt Obey MK_INET6_SUPPORT. 2006-07-27 14:52:12 +00:00
tzsetup - Replace rcsid with __FBSDID. 2008-06-03 22:34:52 +00:00
ugidfw Add some new options to mac_bsdestended. We can now match on: 2006-04-23 17:06:18 +00:00
usbdevs
vidcontrol Tweak some wording and markup. 2006-12-22 23:23:59 +00:00
vipw
watch Convert the snp(4) driver to use cdevpriv. 2008-08-15 13:07:07 +00:00
watchdogd Don't exit from watchdogd on receiving a signal if we cannot stop the watchdog. 2006-12-15 22:47:36 +00:00
wlandebug misc cleanups for stricter compilation 2008-05-28 23:37:37 +00:00
wlconfig
wpa - install the example wpa_supplicant.conf file to the share/examples/etc 2008-07-01 21:52:49 +00:00
yp_mkdb
ypbind Don't rely on private RPC data structures when there is a perfectly good 2008-09-15 14:01:40 +00:00
yppoll
yppush Remove unsafe use of asynchronous I/O (the SIGIO handler could cause 2006-08-16 12:58:41 +00:00
ypserv Add -P <port> option to allow binding to a specific port. 2008-02-03 17:39:37 +00:00
ypset Increase helpfulness in diagnostic message - ypbind running without -ypset or 2007-02-28 22:49:12 +00:00
zic getopt(3) returns -1, not EOF. 2008-02-19 07:09:19 +00:00
zzz
Makefile Implement support for RPCSEC_GSS authentication to both the NFS client 2008-11-03 10:38:00 +00:00
Makefile.inc