From: "Brian J. Murrell" <brian-SquOHqY54CVWr29BmMi2cA@public.gmane.org>
To: linux-nfs@vger.kernel.org
Subject: Re: gssapi and nfs4
Date: Tue, 04 Nov 2008 13:53:17 -0500 [thread overview]
Message-ID: <1225824797.2247.345.camel@brian-laptop> (raw)
In-Reply-To: <89c397150811041000l93b9831w1e8dce2175c6d51f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Tue, 2008-11-04 at 13:00 -0500, William A. (Andy) Adamson wrote:
> Hi
Hello,
> In general, the instructions at the CITI web site will be useful.
>
> From http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html:
>
> Mounting and exporting krb5
>
> To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.
Indeed.
> To export a filesystem using krb5, add the export option "sec=krb5".
> (Note: if your kernel is older than 2.6.23, or nfs-utils older than
> 1.1.1, you will instead need to export to a special client named
> "gss/krb5".)
Ahhh. This, I did not know.
> So instead of using the old "gss/krb5" which indeed did replace the
> ip/netmasks list, you can now specify the use of gssapi with an export
> option, and still set ip/netmasks.
Cool. I think it's still useful to be able to provide some exports as
ro (i.e. forced ro by the server) to some machines (and rw to others)
even with gssapi, yes?
I did notice the bit of text about the single pseudo filesystem. Given
that on my server, I exported a number of filesystems, including / to
privileged (I'm in a very small and trusted environment) clients, it
seemed natural to just set / to fsid 0. I also exported the few other
exports I wanted some nfs4 clients to mount as such:
/ gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534)
/home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534)
/mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534)
/mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534)
where those are all on different filesystems on the server. I'm
starting to feel like this is not how it's supposed to be done.
b.
next prev parent reply other threads:[~2008-11-04 18:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-04 15:43 gssapi and nfs4 Brian J. Murrell
2008-11-04 18:00 ` William A. (Andy) Adamson
[not found] ` <89c397150811041000l93b9831w1e8dce2175c6d51f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-04 18:53 ` Brian J. Murrell [this message]
2008-11-04 22:48 ` J. Bruce Fields
2008-11-05 5:25 ` Brian J. Murrell
[not found] ` <1225862729.13506.8.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:02 ` J. Bruce Fields
2008-11-05 19:18 ` Brian J. Murrell
[not found] ` <1225912734.3785.40.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:40 ` William A. (Andy) Adamson
[not found] ` <89c397150811051140p2f6e1cb1x1960570d19ac5d6d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-05 19:51 ` Brian J. Murrell
2008-11-06 21:50 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1225824797.2247.345.camel@brian-laptop \
--to=brian-squohqy54cvwr29bmmi2ca@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox