From: "J. Bruce Fields" <bfields@fieldses.org>
To: paul.szabo@sydney.edu.au
Cc: andros@netapp.com, linux-nfs@vger.kernel.org, neilb@suse.de
Subject: Re: Please support NSF squashing multiple groups
Date: Fri, 19 Aug 2011 19:45:34 -0400 [thread overview]
Message-ID: <20110819234534.GC3589@fieldses.org> (raw)
In-Reply-To: <201108192235.p7JMZhqt006283@bari.maths.usyd.edu.au>
On Sat, Aug 20, 2011 at 08:35:43AM +1000, paul.szabo@sydney.edu.au wrote:
> Dear Andy,
>
> > Note that only AUTH_SYS sends GID and GID lists in the rpc_cred.
> > RPCSEC_GSS with Kerberos only sends the krb5 principal to the server.
> > The server looks up group membership via nsswitch - either /etc/groups
> > ...
>
> Can the server be set so as to ignore any AUTH_SYS sends, and accept
> RPCSEC_GSS only?
Add something like sec=krb5:krb5i:krb5p to all your exports.
> > idmapd only deals with groups when a SETATTR arrives with ACE who's that
> > are group names where it maps the groupname@domain to a gid, or a
> > GETATTR ACL request where it maps gid->groupname@domain
>
> Can the server be set so as to ignore any attempts from the client to
> set group memberships, but always set its own from /etc/group?
Use kerberos, or run mountd with the --manage-gids option.
--b.
next prev parent reply other threads:[~2011-08-19 23:45 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-19 0:32 Please support NSF squashing multiple groups paul.szabo
2011-08-19 1:05 ` NeilBrown
2011-08-19 2:10 ` paul.szabo
2011-08-19 19:19 ` J. Bruce Fields
2011-08-19 22:06 ` paul.szabo
2011-08-19 22:15 ` Andy Adamson
2011-08-19 22:35 ` paul.szabo
2011-08-19 23:45 ` J. Bruce Fields [this message]
2011-08-20 0:19 ` NeilBrown
2011-08-22 14:23 ` Andy Adamson
2011-08-19 19:29 ` J. Bruce Fields
2011-08-19 22:21 ` paul.szabo
2011-08-22 16:14 ` Jim Rees
[not found] ` <20110822161413.GE2477-8f4Pc2RrbJmHXe+LvDLADg@public.gmane.org>
2011-08-22 21:05 ` paul.szabo-E0wInbZyfUpWG/WdbR7gnQ
-- strict thread matches above, loose matches on Subject: below --
2011-09-20 22:48 paul.szabo
2011-09-20 23:05 ` Trond Myklebust
2011-09-20 23:29 ` paul.szabo
2011-09-20 23:38 ` Myklebust, Trond
2011-09-21 0:09 ` paul.szabo
2011-09-21 4:16 ` Myklebust, Trond
2011-09-21 5:38 ` paul.szabo
2011-09-20 23:47 ` Myklebust, Trond
2011-09-30 4:08 paul.szabo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110819234534.GC3589@fieldses.org \
--to=bfields@fieldses.org \
--cc=andros@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=paul.szabo@sydney.edu.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.