
rpcsec_gss
----------

this is the userland RPCSEC_GSS code from the University of Michigan
CITI NFSv4 project. it is alpha-quality code, with several known bugs,
and undoubtedly many more still lurking. caveat user.

you will need a GSS-capable Kerberos v5 installation to build against,
preferably MIT krb5, although KTH heimdal works as well for building
(running with it is a different story, see below).

	 http://web.mit.edu/kerberos/www/
	 http://www.pdc.kth.se/heimdal/

built and tested on OpenBSD and Linux. for best results, build against
MIT krb5 on OpenBSD (my development environment).

what's here:

rpc
	RPCSEC_GSS-capable RPC library, based on the OpenBSD librpc,
	based on the Sun rpcsrc_4_0 release. implements the full
	RPCSEC_GSS (RFC 2203) specification.

gssd
	userland daemon for the Linux krpc RPCSEC_GSS implementation.
	this is definitely a work in progress, as the kernel RPC is
	still incomplete.

rpcsec-tests
	RPCSEC_GSS test suite from Sun Connectathon 2000, ported to
	use our RPCSEC_GSS implementation.

known bugs:

- RPCSEC_GSS over TCP does not work - at least, RPCSEC_GSS integrity
  and privacy services do not, probably due to the brokenness of
  xdrrec_getpos() (which i broke even more to get RPCSEC_GSS_SVC_NONE
  working).

- credential refresh and expiry are untested. heimdal seems to let
  gss_init_sec_context() succeed even with expired tickets.

- gss_verify_mic() in authgss_validate() always breaks in heimdal,
  so only the RPCSEC_GSS context creation works - no data transfer, or
  context destruction. works just fine with MIT krb5, go figure.

- on Linux, the rpcsec-test's 'loop' test seems to tickle some bug in
  glibc calloc, called in _svcauth_gss(). works just fine on OpenBSD.

the latest version of this code can be found at our project homepage:

	http://www.citi.umich.edu/projects/nfsv4/

please send any bug reports, questions, or comments to:

	nfsv4-wg@citi.umich.edu
-d.

---
http://www.monkey.org/~dugsong/
