aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/filesystems
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-05-03 13:59:39 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2013-05-03 13:59:39 -0400
commit1db772216f48978d5146b858586f6178433aad38 (patch)
tree4cb1f7345256c7a89c85b7a6157bbf16b944782e /Documentation/filesystems
parent86652188f345edec56b0074a65f6db17f16eb359 (diff)
parent676e4ebd5f2c3b4fd1d2bff79b68385c23c5c105 (diff)
Merge branch 'for-3.10' of git://linux-nfs.org/~bfields/linux
Pull nfsd changes from J Bruce Fields: "Highlights include: - Some more DRC cleanup and performance work from Jeff Layton - A gss-proxy upcall from Simo Sorce: currently krb5 mounts to the server using credentials from Active Directory often fail due to limitations of the svcgssd upcall interface. This replacement lifts those limitations. The existing upcall is still supported for backwards compatibility. - More NFSv4.1 support: at this point, if a user with a current client who upgrades from 4.0 to 4.1 should see no regressions. In theory we do everything a 4.1 server is required to do. Patches for a couple minor exceptions are ready for 3.11, and with those and some more testing I'd like to turn 4.1 on by default in 3.11." Fix up semantic conflict as per Stephen Rothwell and linux-next: Commit 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication") adds two new users of "PDE(inode)->data", but we're supposed to use "PDE_DATA(inode)" instead since commit d9dda78bad87 ("procfs: new helper - PDE_DATA(inode)"). The old PDE() macro is no longer available since commit c30480b92cf4 ("proc: Make the PROC_I() and PDE() macros internal to procfs") * 'for-3.10' of git://linux-nfs.org/~bfields/linux: (60 commits) NFSD: SECINFO doesn't handle unsupported pseudoflavors correctly NFSD: Simplify GSS flavor encoding in nfsd4_do_encode_secinfo() nfsd: make symbol nfsd_reply_cache_shrinker static svcauth_gss: fix error return code in rsc_parse() nfsd4: don't remap EISDIR errors in rename svcrpc: fix gss-proxy to respect user namespaces SUNRPC: gssp_procedures[] can be static SUNRPC: define {create,destroy}_use_gss_proxy_proc_entry in !PROC case nfsd4: better error return to indicate SSV non-support nfsd: fix EXDEV checking in rename SUNRPC: Use gssproxy upcall for server RPCGSS authentication. SUNRPC: Add RPC based upcall mechanism for RPCGSS auth SUNRPC: conditionally return endtime from import_sec_context SUNRPC: allow disabling idle timeout SUNRPC: attempt AF_LOCAL connect on setup nfsd: Decode and send 64bit time values nfsd4: put_client_renew_locked can be static nfsd4: remove unused macro nfsd4: remove some useless code nfsd4: implement SEQ4_STATUS_RECALLABLE_STATE_REVOKED ...
Diffstat (limited to 'Documentation/filesystems')
-rw-r--r--Documentation/filesystems/nfs/00-INDEX2
-rw-r--r--Documentation/filesystems/nfs/rpc-server-gss.txt91
2 files changed, 93 insertions, 0 deletions
diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
index 1716874a651e..66eb6c8c5334 100644
--- a/Documentation/filesystems/nfs/00-INDEX
+++ b/Documentation/filesystems/nfs/00-INDEX
@@ -20,3 +20,5 @@ rpc-cache.txt
20 - introduction to the caching mechanisms in the sunrpc layer. 20 - introduction to the caching mechanisms in the sunrpc layer.
21idmapper.txt 21idmapper.txt
22 - information for configuring request-keys to be used by idmapper 22 - information for configuring request-keys to be used by idmapper
23knfsd-rpcgss.txt
24 - Information on GSS authentication support in the NFS Server
diff --git a/Documentation/filesystems/nfs/rpc-server-gss.txt b/Documentation/filesystems/nfs/rpc-server-gss.txt
new file mode 100644
index 000000000000..716f4be8e8b3
--- /dev/null
+++ b/Documentation/filesystems/nfs/rpc-server-gss.txt
@@ -0,0 +1,91 @@
1
2rpcsec_gss support for kernel RPC servers
3=========================================
4
5This document gives references to the standards and protocols used to
6implement RPCGSS authentication in kernel RPC servers such as the NFS
7server and the NFS client's NFSv4.0 callback server. (But note that
8NFSv4.1 and higher don't require the client to act as a server for the
9purposes of authentication.)
10
11RPCGSS is specified in a few IETF documents:
12 - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
13 - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
14and there is a 3rd version being proposed:
15 - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
16 (At draft n. 02 at the time of writing)
17
18Background
19----------
20
21The RPCGSS Authentication method describes a way to perform GSSAPI
22Authentication for NFS. Although GSSAPI is itself completely mechanism
23agnostic, in many cases only the KRB5 mechanism is supported by NFS
24implementations.
25
26The Linux kernel, at the moment, supports only the KRB5 mechanism, and
27depends on GSSAPI extensions that are KRB5 specific.
28
29GSSAPI is a complex library, and implementing it completely in kernel is
30unwarranted. However GSSAPI operations are fundementally separable in 2
31parts:
32- initial context establishment
33- integrity/privacy protection (signing and encrypting of individual
34 packets)
35
36The former is more complex and policy-independent, but less
37performance-sensitive. The latter is simpler and needs to be very fast.
38
39Therefore, we perform per-packet integrity and privacy protection in the
40kernel, but leave the initial context establishment to userspace. We
41need upcalls to request userspace to perform context establishment.
42
43NFS Server Legacy Upcall Mechanism
44----------------------------------
45
46The classic upcall mechanism uses a custom text based upcall mechanism
47to talk to a custom daemon called rpc.svcgssd that is provide by the
48nfs-utils package.
49
50This upcall mechanism has 2 limitations:
51
52A) It can handle tokens that are no bigger than 2KiB
53
54In some Kerberos deployment GSSAPI tokens can be quite big, up and
55beyond 64KiB in size due to various authorization extensions attacked to
56the Kerberos tickets, that needs to be sent through the GSS layer in
57order to perform context establishment.
58
59B) It does not properly handle creds where the user is member of more
60than a few housand groups (the current hard limit in the kernel is 65K
61groups) due to limitation on the size of the buffer that can be send
62back to the kernel (4KiB).
63
64NFS Server New RPC Upcall Mechanism
65-----------------------------------
66
67The newer upcall mechanism uses RPC over a unix socket to a daemon
68called gss-proxy, implemented by a userspace program called Gssproxy.
69
70The gss_proxy RPC protocol is currently documented here:
71
72 https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
73
74This upcall mechanism uses the kernel rpc client and connects to the gssproxy
75userspace program over a regular unix socket. The gssproxy protocol does not
76suffer from the size limitations of the legacy protocol.
77
78Negotiating Upcall Mechanisms
79-----------------------------
80
81To provide backward compatibility, the kernel defaults to using the
82legacy mechanism. To switch to the new mechanism, gss-proxy must bind
83to /var/run/gssproxy.sock and then write "1" to
84/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
85steps.
86
87Once the upcall mechanism is chosen, it cannot be changed. To prevent
88locking into the legacy mechanisms, the above steps must be performed
89before starting nfsd. Whoever starts nfsd can guarantee this by reading
90from /proc/net/rpc/use-gss-proxy and checking that it contains a
91"1"--the read will block until gss-proxy has done its write to the file.