>Does anyone know more about Kerberos that "centralized authentication >service handing out signed authentication tickets for services"?
Yes. >Is it possible to have a v4-only server or does some part of the protocol >fall back to v3? My limited, imperfect understanding of NFSv4 is that AUTH_GSS (the Kerberos authentication piece; I can explain why it is called "GSS" but it's long and boring) is not mandatory. >What I have in mind is to have a privilledged login process doing the >authentication and forking off a worker process running under the >logged in user's credentials and thus have the kernel do all nifty >permission checking. > >Is someone familiar enough with NFSv4/Kerberos to immediately point out >to me why that can't possibly work? The Kerberos "tickets" (what you need for authentication) are typically stored in one of three places: - A file somewhere on the local filesystem - In the memory of a special process that clients communicate with via some IPC mechaninism. - Inside of the kernel in some kind of secure storage (the only implementation of that I am aware of is the Linux "keyring" mechanism). My understanding is that most/all Unix based kernel NFSv4 implementations have some kind of kernel callout mechanism to a userspace helper process, which then "finds" the user's tickets and does the Kerberos magic to get what NFSv4 needs and then passes it up to the kernel. Shoving the whole Kerberos library into the kernel would be a heavy lift and is basically never done; you want all that done in userspace. My limited understanding of how the NFSv4 mechanism "finds" the user's tickets is mostly you have to put them in a file somewhere on the local filesystem with a name based on the user's Unix userid. There might be NFSv4 clients that can communicate with one of the IPC based ticket storage systems but I have not been keeping track of that space. I will note that the other major filesystem I am aware that has Kerberos support (AFS) requires you to run a command that puts the necessary ticket into the kernel (usually this is done for you by part of the login process). I always felt that doing this for NFSv4 (presumably telling the NFSv4 helper process "here is my ticket") was a reasonable way to go, but the people who did NFSv4 implementations never seemed to agree with me. The more complicated piece here is that AFS only requires one well-known Kerberos service ticket that works for any AFS server, but with NFS you have to get a different service ticket for every discrete NFS server. --Ken
