On Tue, Apr 15, 2014 at 11:36:34AM -0500, Nico Williams wrote: > Will, > > Mobile devices don't really have stable hostnames, so the system > should support non-hostbased host/root credentials.
If you are referring to the NFS v4 client requiring root have a krb cred in order to function as I described in an earlier e-mail I would ask why NFS v4 clients require root to have a krb cred in the first place (NFS v3 doesn't as you may recall)? As you can imagine, many IT departments would balk (putting it mildly) if they were asked to provision keytabs on laptops or other mobile devices that need access to krb protected NFS v4 shares. As to how that requirement happened, according to one of the NFSv4 developers here that regularly attends Connectathon, the consensus among the NFS v4 implementors for various Linux platforms was that a properly configured NFS v4 client meant it had a keytab containing host service princ keys which could then be leveraged to protect the lease renewal traffic. My opinion is that unless there is a very good reason to protect that traffic, krb protection for lease renewal traffic should be optional, depending on configuration. -- Will Fiveash Oracle Solaris Software Engineer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos