Summary: | [patch] [kerberos] getpwnam_r buf too small nfs assigns root:user to krb5 clients | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | hcoin | ||||||||||
Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||||||
Status: | Open --- | ||||||||||||
Severity: | Affects Only Me | Keywords: | patch | ||||||||||
Priority: | Normal | ||||||||||||
Version: | Unspecified | ||||||||||||
Hardware: | Any | ||||||||||||
OS: | Any | ||||||||||||
Attachments: |
|
Description
hcoin
2011-10-25 18:10:09 UTC
Find attached a tbz that has all the necessary patches I've filed to date against freebsd 8 stable that accomplish the following: 1. Alter no current behavior but make more optional (whether I like it or not*). 2. Let NFS do with -sec=krb5x everything it was capable of doing without -sec=krb5. 3. make it possible as it was pre kerberos for a server to restrict shares to certain boxes while not letting locally authorized users access to those shares via other clients, nfs3 or nfs4. 4. Make it possible for accounts associated with principal names including a / to have correct file ownership when using mounted shares (all gssapi service accounts related cyrus-sasl accounts, openldap / slapd, nslcd, nfs itself, and in my world all accounts with uid <1000). 5. Fix bugs giving normal users files over nfs with ownership root:user (includes many global rpc fixes relative to longer passwd entries) 6. Make it possible for accounts with /nonexistent home directories to have .k5login capabilities (/etc/k5login.d) 7. Caching to vastly speed up validating local accounts against principals and vice versa (nfs speedup). Fair notice, the folk on the hiemdal discussion list generally think some of these features need doing, but do not approve of the choices I made about how to do it. Others take great exception to mapping principal names with a / to user accounts per box. Still others think the entire matter of 'taint' is mishandled and needs removing from kerberos entirely. A fair few other observations occurred as well. Some mention they aim to provide similar functions in code to be written in due course. So, while they are working on those, in the meantime, enjoy a fully functional krb5/nfs and protected ldap keytab! Full BSD licenses on all added code. Cheers! Harry Coin For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi> |