diff options
| author | Rick Macklem <rmacklem@FreeBSD.org> | 2026-05-02 19:36:00 +0000 |
|---|---|---|
| committer | Rick Macklem <rmacklem@FreeBSD.org> | 2026-05-02 19:36:00 +0000 |
| commit | a6e527f893df2cbbd941839a93e50ae39ac0db55 (patch) | |
| tree | a9b69d344498a33892713e9a1e7c0a7370b4a519 /doc/html/appdev/(developers-only) | |
| parent | 72b1aae09bf0bcc01c76df757699e27ad7cf7ecc (diff) | |
Without this patch, all upcalls to the gssd daemon are
done in vnet0 (outside of any vnet jail). This does
not work well, because a user principal's credential
cache can be within the jail (/tmp/krb5cc_NNN in the
jail's namespace).
This patch modifies the client so that RPCs done
from within vnet jails does an upcall to a gssd
daemon running within the vnet jail. It required
that the cache of uid->credential shorthands in
the rpcsec_gss be vnet'd.
The situation is still less than ideal and sec=krb5[ip]
mounts that are visible within vnet jails is still
not something I would recommend, but it can work ok
with this patch.
Vnet'ng the NFS client so that mounts can be done
within vnet jails is probably more useful, but that
will require additional work.
Discussed with: glebius
MFC after: 1 month
Diffstat (limited to 'doc/html/appdev/(developers-only)')
0 files changed, 0 insertions, 0 deletions