From: "Brian J. Murrell" <brian-SquOHqY54CVWr29BmMi2cA@public.gmane.org>
To: linux-nfs@vger.kernel.org
Subject: Re: gssapi and nfs4
Date: Wed, 05 Nov 2008 14:18:54 -0500 [thread overview]
Message-ID: <1225912734.3785.40.camel@pc.interlinx.bc.ca> (raw)
In-Reply-To: <20081105190235.GA969@fieldses.org>
[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]
On Wed, 2008-11-05 at 14:02 -0500, J. Bruce Fields wrote:
> Unfortunately that last option's the only practical approach right now.
Other than exporting / of course.
> We're working to simplify this.
Great.
> If you want to. If you want to just mount the whole of / at one point
> in the client filesystem, you can also do that, and the client will
> automatically mount the filesystems underneath as it traverses into
> them.
That is cool.
> > / 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt)
> > /home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
> > /d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt)
> > /d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
> >
> > and on the clinet:
> >
> > pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server
> > pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home
> > pc # mount -t nfs4 -o sec=krb5 server:/d /d
> > pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub
> >
> > To have /home rw under /mnt/server. It would be there but ro without
> > the second mount, yes?
> >
> > It also appears that for the above case of /d and /d/sub I need the
> > crossmnt option on /d or I don't see anything in /d/sub even though I've
> > exported and mounted it individually. Does this seem like the expected
> > behaviour or a bug?
>
> That's expected.
But causes a problem as below...
> > It's important to be able to do because I might
> > want to be able to export /d to certain hosts without giving them access
> > to mountpoints within /d as I have done above with /d/sub and pc. If I
> > use crossmnt which my experience is showing I need, then /d/sub is
> > exposed to all of 10.75.22.0/24 which is not what I want.
>
> If you add a separate export for /d/sub, I think it should override that
> behavior.
That's what I did and still, I have to use crossmnt on /d and that
exposes /d/sub it to everyone who gets access to /d where my intention
is to only expose /d/sub to the match/limit I put on /d/sub, which is
the single host "pc" in my above scneario.
Let me thank you for all of your great answers.
b.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-11-05 19:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-04 15:43 gssapi and nfs4 Brian J. Murrell
2008-11-04 18:00 ` William A. (Andy) Adamson
[not found] ` <89c397150811041000l93b9831w1e8dce2175c6d51f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-04 18:53 ` Brian J. Murrell
2008-11-04 22:48 ` J. Bruce Fields
2008-11-05 5:25 ` Brian J. Murrell
[not found] ` <1225862729.13506.8.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:02 ` J. Bruce Fields
2008-11-05 19:18 ` Brian J. Murrell [this message]
[not found] ` <1225912734.3785.40.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:40 ` William A. (Andy) Adamson
[not found] ` <89c397150811051140p2f6e1cb1x1960570d19ac5d6d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-05 19:51 ` Brian J. Murrell
2008-11-06 21:50 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1225912734.3785.40.camel@pc.interlinx.bc.ca \
--to=brian-squohqy54cvwr29bmmi2ca@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.