From: Quentin Godfroy <godfroy-7pss2ddYZfWsyDt4atOG6g@public.gmane.org>
To: linux-nfs@vger.kernel.org
Cc: Michael Guntsche <mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
Subject: Re: NFS3+KRB5 question
Date: Tue, 1 Apr 2008 15:18:26 +0200 [thread overview]
Message-ID: <20080401131826.GA19598@goelette.ens.fr> (raw)
In-Reply-To: <20080401123643.GA18475-Gn1em/8t8udFYcqGaMRPHA@public.gmane.org>
On Tue, Apr 01, 2008 at 02:36:44PM +0200, Quentin Godfroy wrote:
> AFAICS I experience the same behavior[#]. Wile mounting a fs with
> sec=krb5i:krb5p,rw,sec=sys,ro works, disabling the sec=sys option returns an
> EACCES to the mount syscall (for binary mount as well as text based mount).
> And of course the rest is working correctly, I indeed have write enabled if
> with krb5i.
>
> Looks like the client does a FSINFO call with AUTH_UNIX credentials instead
> of using machine credentials, which is rejected by the server.
By the way, I would like to know why does this call is rejected at the NFS
layer with a NFS3ERR_ACCES instead of being rejected at the RPC layer with
AUTH_TOOWEAK in a rejected_reply struct ? I would expect more an
NFS3ERR_ACCES when the filehandle is outside an export (with
subtree_checking enabled) or when the client is not in the list of exported
filesystems.
Maybe the answer is that the RPC layer has large parts of it which are
unadequate with current needs and that either the server does not answer at
all (and close the underlying connection) or returns accepted_reply structures
with SUCCESS and delegate error management to the upper level.
next prev parent reply other threads:[~2008-04-01 13:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-01 8:51 NFS3+KRB5 question Michael Guntsche
2008-04-01 12:36 ` Quentin Godfroy
[not found] ` <20080401123643.GA18475-Gn1em/8t8udFYcqGaMRPHA@public.gmane.org>
2008-04-01 13:18 ` Quentin Godfroy [this message]
2008-04-01 20:56 ` J. Bruce Fields
2008-04-01 22:58 ` Quentin Godfroy
2008-04-03 20:43 ` Guntsche Michael
[not found] ` <2A8F26C5-13E7-47F0-AC04-33820FF9377A-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org>
2008-04-07 18:00 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080401131826.GA19598@goelette.ens.fr \
--to=godfroy-7pss2ddyzfwsydt4atog6g@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
--cc=mike-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox