From 82f9245116cfb4ca4f0e906e76cd786365f02de5 Mon Sep 17 00:00:00 2001 From: jacobshivers <93015798+jacobshivers@users.noreply.github.com> Date: Fri, 22 Oct 2021 21:28:04 -0400 Subject: [PATCH 1/5] Create 98-cifs-client.conf Add a configuration file for cifs.upcall. Once proposed patches extending gssapi functionality for cifs.upcall are included in the main branch, this drop file will be needed to complete the callout to gssproxy. The "program" option is needed for this file and for 99-nfs-client.conf so as to allow for distinct access to the default socket, i.e. /var/lib/gssproxy/default.sock. Without the "program" option being included, gssproxy will not start. --- examples/98-cifs-client.conf.in | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 examples/98-cifs-client.conf.in diff --git a/examples/98-cifs-client.conf.in b/examples/98-cifs-client.conf.in new file mode 100644 index 0000000..8d8e2c1 --- /dev/null +++ b/examples/98-cifs-client.conf.in @@ -0,0 +1,11 @@ +[service/cifs-client] + mechs = krb5 + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:@gpclidir@/krb5cc_%U + cred_store = client_keytab:@gpclidir@/%U.keytab + cred_usage = initiate + allow_any_uid = yes + trusted = yes + euid = 0 + min_lifetime = 60 + program = /usr/sbin/cifs.upcall From 423f8f647fe83385f4d20837167028df7080bcb9 Mon Sep 17 00:00:00 2001 From: jacobshivers <93015798+jacobshivers@users.noreply.github.com> Date: Fri, 22 Oct 2021 21:30:14 -0400 Subject: [PATCH 2/5] Add program to 99-nfs-client.conf Add "program" option to existing drop file so that both client side NFS and SMB upcall programs, rpc.gssd and cifs.upcall respectively, can both leverage the default gssproxy socket. --- examples/99-nfs-client.conf.in | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in index 9dd1891..249ccf2 100644 --- a/examples/99-nfs-client.conf.in +++ b/examples/99-nfs-client.conf.in @@ -8,3 +8,4 @@ trusted = yes euid = 0 min_lifetime = 60 + program = /usr/sbin/rpc.gssd From 50909dde340561ba974172c972715fa1055dec9f Mon Sep 17 00:00:00 2001 From: jacobshivers <93015798+jacobshivers@users.noreply.github.com> Date: Mon, 25 Oct 2021 11:19:18 -0400 Subject: [PATCH 3/5] Update and rename 99-nfs-client.conf.in to 99-network-fs-clients.conf.in Generalize name as this file can be used by both NFS and SMB upcall methods, i.e. rpc.gssd and cifs.upcall respectively. --- .../{99-nfs-client.conf.in => 99-network-fs-clients.conf.in} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename examples/{99-nfs-client.conf.in => 99-network-fs-clients.conf.in} (82%) diff --git a/examples/99-nfs-client.conf.in b/examples/99-network-fs-clients.conf.in similarity index 82% rename from examples/99-nfs-client.conf.in rename to examples/99-network-fs-clients.conf.in index 249ccf2..c475b35 100644 --- a/examples/99-nfs-client.conf.in +++ b/examples/99-network-fs-clients.conf.in @@ -1,4 +1,4 @@ -[service/nfs-client] +[service/network-fs-clients] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:@gpclidir@/krb5cc_%U @@ -8,4 +8,3 @@ trusted = yes euid = 0 min_lifetime = 60 - program = /usr/sbin/rpc.gssd From 25b6c750d377d46d5b5b11cb754cadc1af46cce5 Mon Sep 17 00:00:00 2001 From: jacobshivers <93015798+jacobshivers@users.noreply.github.com> Date: Mon, 25 Oct 2021 11:20:35 -0400 Subject: [PATCH 4/5] Delete 98-cifs-client.conf.in File is no longer needed. 99-network-fs-clients.conf will work for both rpc.gssd and cifs.upcall. --- examples/98-cifs-client.conf.in | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 examples/98-cifs-client.conf.in diff --git a/examples/98-cifs-client.conf.in b/examples/98-cifs-client.conf.in deleted file mode 100644 index 8d8e2c1..0000000 --- a/examples/98-cifs-client.conf.in +++ /dev/null @@ -1,11 +0,0 @@ -[service/cifs-client] - mechs = krb5 - cred_store = keytab:/etc/krb5.keytab - cred_store = ccache:FILE:@gpclidir@/krb5cc_%U - cred_store = client_keytab:@gpclidir@/%U.keytab - cred_usage = initiate - allow_any_uid = yes - trusted = yes - euid = 0 - min_lifetime = 60 - program = /usr/sbin/cifs.upcall From 690c4c437beb16df105ff7674d6cef13ddea7378 Mon Sep 17 00:00:00 2001 From: jacobshivers <93015798+jacobshivers@users.noreply.github.com> Date: Mon, 25 Oct 2021 12:01:13 -0400 Subject: [PATCH 5/5] Create network_fs_clients.md Described steps to have differentiated access methods for client side NFS and SMB if needed. --- docs/network_fs_clients.md | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 docs/network_fs_clients.md diff --git a/docs/network_fs_clients.md b/docs/network_fs_clients.md new file mode 100644 index 0000000..e40aab5 --- /dev/null +++ b/docs/network_fs_clients.md @@ -0,0 +1,40 @@ +# Introduction + +Following changes to cifs.upcall, extending its functionality to leverage gssapi for ticket acquisition, 99-nfs-client.conf has been renamed to 99-network-fs-clients.conf. This allows the upcall programs for client side NFS and SMB, rpc.gssd and cifs.upcall, to leverage the same configuration file. However, there may be circumstances where having differentiated access for each remote filesystem is preferred or even necessary. + +## Creating configuration files + +If different behavior for client side NFS and SMB is needed: + +1) Remove /etc/gssproxy/99-network-fs-clients.conf + +2) Create configuration files for cifs-client and nfs-client services. The `program =` option **must** be included if both programs are going to access the default socket, `/var/lib/gssproxy/default.sock` + +~~~~ +# cat /etc/gssproxy/99-cifs-client.conf +[service/cifs-client] + mechs = krb5 + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U + cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab + cred_usage = initiate + allow_any_uid = yes + trusted = yes + euid = 0 + program = /usr/sbin/cifs.upcall +~~~~ + +~~~~ +[service/nfs-client] + mechs = krb5 + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U + cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab + cred_usage = initiate + allow_any_uid = yes + trusted = yes + euid = 0 + program = /usr/sbin/rpc.gssd +~~~~ + +3) Customize the above files as needed. The existing docs/NFS.md file discusses Keytab based Client initiation as well as User Impersonation and Constrainted Delegation. Resource Base Constrained Delegation is also possible and requires no additional client side configuration changes as RBCD is a server side configuration change.