Re: [PATCH] nfs-utils: Handle authentication flavour order properly

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Staubach <staubach@redhat.com>
To: bc Wong <bcwalrus@gmail.com>
Cc: Chuck Lever <chuck.lever@oracle.com>,
	trond.myklebust@fys.uio.no, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] nfs-utils: Handle authentication flavour order properly
Date: Fri, 07 Mar 2008 15:28:15 -0500	[thread overview]
Message-ID: <47D1A55F.5030200@redhat.com> (raw)
In-Reply-To: <f88853200803071138n58d16ca6t4f4410d587141141-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>

bc Wong wrote:
> On Fri, Mar 7, 2008 at 11:10 AM, Peter Staubach <staubach@redhat.com> wrote:
>   
>> bc Wong wrote:
>>  > On Fri, Mar 7, 2008 at 10:29 AM, Peter Staubach <staubach@redhat.com> wrote:
>>  >
>>  >>  Actually, NFS servers that support AUTH_NONE, map the uid and gid to the
>>  >>  anonymous uid and gids for access to file systems which are exported
>>  >>  AUTH_NONE.  It doesn't seem to matter what authentication flavor that
>>  >>  the client uses.
>>  >>
>>  >>        ps
>>  >>
>>  >
>>  > Hi Peter,
>>  >
>>  > My concern is that a server supports both AUTH_SYS and AUTH_NONE,
>>  > where AUTH_SYS would give you the regular access, and AUTH_NONE
>>  > would give the anon access as you described, which is typically a
>>  > degraded read-only view. Therefore it's bad for the client to choose
>>  > AUTH_NONE in this case, especially since the server presents
>>  > AUTH_SYS *before* AUTH_NONE.
>>  >
>>  > I'll test more with AUTH_NONE on Solaris. Is there any specific setup
>>  > you'd like me to verify?
>>
>>  Do you know of any client NFS implementations that can actually generate
>>  requests with AUTH_NONE as the authentication flavor?  Which server
>>  implementation supports the mode that you described?
>>     
>
> Hi Peter,
>
> Linux does that. 2.6.22. The reason I submitted this patch is that I ran
> into this bug. My server advertises (AUTH_SYS, AUTH_NONE), with
> AUTH_NONE giving degraded access. The older clients are ok, since
> mount.nfs enforces the AUTH_SYS default. Then a new client (2.6.22)
> came in and I went scratching my head why it's using AUTH_NONE.
>
>   

Well, so it does.  Sorry, when that patch was developed, the client 
would not
generate an AUTH_NONE request and could not handle servers which 
exported using
only AUTH_NONE.

It would be good to ensure that they continue to work.

    Thanx...

       ps

> Cheers,
> bc
>
>   
>>  As far as I know, all servers, which support exporting with AUTH_NONE,
>>  always map the incoming uid and gid(s) to the anonymous uid and gid when
>>  they process the request for a file system which is exported with AUTH_NONE.
>>  It doesn't seem to matter what the incoming authentication flavor was.
>>
>>     Thanx...
>>
>>        ps
>>
>>

next prev parent reply	other threads:[~2008-03-07 20:28 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-07  3:08 [PATCH] nfs-utils: Handle authentication flavour order properly bc Wong
     [not found] ` <f88853200803061908y497164bdpdff7b9109567d8c0-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-03-07 16:16   ` Chuck Lever
2008-03-07 18:11     ` bc Wong
     [not found]       ` <f88853200803071011j3a70b0abka9142396d3275b10-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-03-07 18:27         ` Peter Staubach
2008-03-07 18:29         ` Peter Staubach
2008-03-07 18:59           ` bc Wong
     [not found]             ` <f88853200803071059yf523114wcabb12fdeee7b8d6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-03-07 19:10               ` Peter Staubach
2008-03-07 19:38                 ` bc Wong
     [not found]                   ` <f88853200803071138n58d16ca6t4f4410d587141141-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-03-07 20:28                     ` Peter Staubach [this message]
2008-03-11 19:28                       ` bc Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47D1A55F.5030200@redhat.com \
    --to=staubach@redhat.com \
    --cc=bcwalrus@gmail.com \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@fys.uio.no \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.