Re: regarding support of NFS versions

To: tech-kern%netbsd.org@localhost
Subject: Re: regarding support of NFS versions
From: Ken Hornstein <kenh%cmf.nrl.navy.mil@localhost>
Date: Fri, 24 Apr 2026 12:07:45 -0400

>Does anyone know more about Kerberos that "centralized authentication 
>service handing out signed authentication tickets for services"?

Yes.

>Is it possible to have a v4-only server or does some part of the protocol 
>fall back to v3?

My limited, imperfect understanding of NFSv4 is that AUTH_GSS (the
Kerberos authentication piece; I can explain why it is called "GSS"
but it's long and boring) is not mandatory.

>What I have in mind is to have a privilledged login process doing the 
>authentication and forking off a worker process running under the 
>logged in user's credentials and thus have the kernel do all nifty 
>permission checking.
>
>Is someone familiar enough with NFSv4/Kerberos to immediately point out 
>to me why that can't possibly work?

The Kerberos "tickets" (what you need for authentication) are typically
stored in one of three places:

- A file somewhere on the local filesystem
- In the memory of a special process that clients communicate with via
  some IPC mechaninism.
- Inside of the kernel in some kind of secure storage (the only implementation
  of that I am aware of is the Linux "keyring" mechanism).

My understanding is that most/all Unix based kernel NFSv4
implementations have some kind of kernel callout mechanism to a
userspace helper process, which then "finds" the user's tickets and does
the Kerberos magic to get what NFSv4 needs and then passes it up to the
kernel.  Shoving the whole Kerberos library into the kernel would be
a heavy lift and is basically never done; you want all that done in
userspace.

My limited understanding of how the NFSv4 mechanism "finds" the user's
tickets is mostly you have to put them in a file somewhere on the local
filesystem with a name based on the user's Unix userid.  There might
be NFSv4 clients that can communicate with one of the IPC based ticket
storage systems but I have not been keeping track of that space.

I will note that the other major filesystem I am aware that has Kerberos
support (AFS) requires you to run a command that puts the necessary ticket
into the kernel (usually this is done for you by part of the login process).
I always felt that doing this for NFSv4 (presumably telling the NFSv4
helper process "here is my ticket") was a reasonable way to go, but
the people who did NFSv4 implementations never seemed to agree with me.
The more complicated piece here is that AFS only requires one well-known
Kerberos service ticket that works for any AFS server, but with NFS
you have to get a different service ticket for every discrete NFS server.

--Ken

References:
- Re: Changing NGROUPS_MAX to 1024?
  - From: Taylor R Campbell
- Re: Changing NGROUPS_MAX to 1024?
  - From: Michael van Elst
- Re: Changing NGROUPS_MAX to 1024?
  - From: Brett Lymn
- Re: Changing NGROUPS_MAX to 1024?
  - From: Edgar Fuß
- Re: Changing NGROUPS_MAX to 1024?
  - From: Jason Thorpe
- Re: Changing NGROUPS_MAX to 1024?
  - From: od2uvb
- Re: Changing NGROUPS_MAX to 1024?
  - From: Mouse
- Re: Changing NGROUPS_MAX to 1024?
  - From: od2uvb
- Re: Changing NGROUPS_MAX to 1024?
  - From: Mouse
- regarding support of NFS versions (Re: Changing NGROUPS_MAX to 1024?)
  - From: od2uvb
- Re: regarding support of NFS versions
  - From: Edgar Fuß

Prev by Date: Patching the Synaptics driver to disable tap-to-click
Previous by Thread: Re: regarding support of NFS versions
Next by Thread: tprof(8) ABI
Indexes:

Home | Main Index | Thread Index | Old Index