From: Steve Dickson <SteveD@redhat.com>
To: Weston Andros Adamson <dros@netapp.com>
Cc: Jeff Layton <jlayton@redhat.com>,
Chuck Lever <chuck.lever@oracle.com>,
"Myklebust, Trond" <Trond.Myklebust@netapp.com>,
linux-nfs list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Fri, 08 Nov 2013 11:38:10 -0500 [thread overview]
Message-ID: <527D1372.20001@RedHat.com> (raw)
In-Reply-To: <10EF251E-CE2B-4761-BBE9-CAFF253610D7@netapp.com>
On 08/11/13 11:27, Weston Andros Adamson wrote:
>
> On Nov 8, 2013, at 10:00 AM, Steve Dickson <SteveD@redhat.com> wrote:
>
>> What server makes krb5i available today in state setup and pseudoroot lookups?
>
> Linux nfsd, among others…
>
> The real issue I see here is what Trond was mentioning earlier - the order of multiple mounts of the same server matters, i.e.:
>
> 1) mount sec=krb5i server:/foo /mnt1
> 2) mount sec=sys server:/foo /mnt2
>
> This leads to the state operations to server using krb5i, but:
>
> 1) mount sec=sys server:/foo /mnt2
> 2) mount sec=krb5i server:/foo /mnt1
>
> this leads to the state operations to server using AUTH_SYS. yuck.
>
> I don’t think we can just upgrade the state connection from AUTH_SYS to krb5i
> when this happens, that is why we try krb5i first, then fall back to AUTH_SYS.
Excellent explanation! Thanks you! But... ;-) This assumes the admin is
actually trying to krb5i which means he/she has set up a functioning
Kerberos environment. But we can't assume every client has a valid
Kerberos environment, which is what the code is doing today!
steved.
next prev parent reply other threads:[~2013-11-08 16:37 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson [this message]
2013-11-08 15:04 ` J. Bruce Fields
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=527D1372.20001@RedHat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=chuck.lever@oracle.com \
--cc=dros@netapp.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.