Re: NFSv2/3 requiring RPC_AUTH_GSS

["J. Bruce Fields" <bfields@fieldses.org>]

On Fri, Mar 04, 2005 at 11:03:39AM -0800, Trond Myklebust wrote:
> to den 03.03.2005 Klokka 17:54 (-0500) skreiv Benjamin Bennett:
> >   v4 exports using gss/krb5 work from both FC2 and Solaris 10 clients.
> > However, for Solaris 8 I'm using v3 with gss/krb5.
> > 
> >   The problem I've run into with this, is that in order for the v3
> > client to mount (even using gss), it must be given sys/unix access too.
> > That pretty much rules out the nice sleep I could have gotten with all
> > clients using gss since they could just remount with auth_unix at will.
> 
> Could you expand a bit on this? Is the problem that knfsd is failing to
> adhere to RFC2623?
> The latter says that the NFS server is supposed to accept AUTH_SYS as
> being valid for fsinfo(nfsv3) or fsstat+getattr(nfsv2) on the mount
> point. Is knfsd doing this?

No.

The immediate problem, though, is probably just that mountd isn't
reporting the security flavours correctly.  This shouldn't be too hard
to fix for someone with the time and inclination.

(See
http://www.citi.umich.edu/projects/nfsv4/linux/nfs-utils-patches/1.0.7-1/nfs-utils-1.0.7-06-mountd_flavors.dif
for a hack that just always returns all the krb5 flavors in the mount
reply.  All we need to do here is check the export table to figure out
which to report, and then we'll have a patch worth actually adding to
nfs-utils.)

--b.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs