RE: NFSv4 security negotiation issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Frank Filz" <ffilzlnx@mindspring.com>
To: "'Chuck Lever'" <chuck.lever@oracle.com>,
	"'Linux NFS Mailing List'" <linux-nfs@vger.kernel.org>
Subject: RE: NFSv4 security negotiation issue
Date: Tue, 15 Sep 2015 09:33:26 -0700	[thread overview]
Message-ID: <019501d0efd4$401f4240$c05dc6c0$@mindspring.com> (raw)
In-Reply-To: <7A550B5E-9EAB-4431-BBBA-1C77EE86539F@oracle.com>

> We've found an unexpected behavior with mount security negotiation in the
> current Linux NFS client.
> 
> Given two real shares on an NFS server: one is a sys-only share, and the
> other is a krb5-only share. When we try to mount the sys-only share
without
> specifying a sec= option, it fails. Specifying sec=sys is successful.
> 
> What is seen on the wire:
> 
> 1. The client attempts to access the pseudofs, and negotiates
> krb5
> 
> 2. The client walks down the pseudofs namespace to the sys-only share
> 
> 3. The client attempts to access the sys-only share with krb5 and gets
> WRONGSEC
> 
> 4. The client negotiates sys, and continues setting up the mount
> 
> 5. nfs_fs_mount_common() invokes nfs_get_root(), but it uses the
> pseudofs superblock, so it does a GETATTR on the share's root directory
with
> krb5, and that fails
> 
> At this point the client gives up, and the mount attempt fails.
> 
> We could alter the server to allow a GETATTR with the same flavor as the
> underlying directory. But seems like the problem is on the client: it
should
> use the negotiated flavor that is appropriate to the share, not the flavor
> appropriate for the pseudofs.
> 
> Any thoughts?

Hmm, I thought maybe this was a scenario I had not tested, but I think I'm
misunderstanding the sequence. Could you summarize the ops and response for
each COMPOUND request?

I don't think the server should have to do anything special here.

Frank



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

next prev parent reply	other threads:[~2015-09-15 16:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-15 15:52 NFSv4 security negotiation issue Chuck Lever
2015-09-15 16:33 ` Frank Filz [this message]
2015-09-15 17:15   ` Chuck Lever
2015-09-15 17:41     ` Frank Filz
2015-09-15 18:17       ` Chuck Lever
2015-09-15 18:45         ` Frank Filz
2015-09-15 19:11           ` Chuck Lever
2015-09-15 20:28             ` Frank Filz
2015-09-15 20:36               ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='019501d0efd4$401f4240$c05dc6c0$@mindspring.com' \
    --to=ffilzlnx@mindspring.com \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.