From: "Holger Hoffstätte" <holger.hoffstaette@googlemail.com>
To: linux-nfs@vger.kernel.org
Subject: Re: Strange "SECINFO: security flavor .." messages
Date: Fri, 8 Apr 2016 19:04:51 +0000 (UTC) [thread overview]
Message-ID: <pan$3f049$c5b0e40$570dbaa6$1e5a0be2@googlemail.com> (raw)
In-Reply-To: 20160408184111.GB25179@fieldses.org
On Fri, 08 Apr 2016 14:41:11 -0400, J. Bruce Fields wrote:
> On Thu, Apr 07, 2016 at 10:38:55PM +0000, Holger Hoffstätte wrote:
>> Hi,
>>
>> After restarting my server and a client re-automounts, I see the
>> following in the server's dmesg:
>>
>> [ 706.454187] NFS: SECINFO: security flavor 390003 is not supported
>> [ 706.454621] NFS: SECINFO: security flavor 390004 is not supported
>> [ 706.455057] NFS: SECINFO: security flavor 390005 is not supported
>>
>> I've been completely unsuccessful in trying to discern what these
>> mean and how I can get rid of them; they don't seem to be harmful
>> since everything else works just fine, and has done so for years.
>> I think this started with NFS 4.2 not too long ago, but don't remember
>> for certain. The server exports several mounts, ext4 and xfs.
>> Clients use only NFS v4 via automount. All on 4.4.6.
>
> What does "exportfs -v" say?
The same for every export (please hold your nose ;), e.g.
/home/holger 192.168.100.0/24(rw,async,wdelay,insecure,no_root_squash,no_subtree_check,sec=sys,rw,insecure,no_root_squash,no_all_squash)
..etc..
Apparently I specify redundant (default) options for the exports, but
whatever.
> What about "cat /proc/net/rpc/nfsd.export/content" right after the
> client's mount/remount?
Right now:
$cat /proc/net/rpc/nfsd.export/content
#path domain(flags)
/home/holger 192.168.100.0/24(rw,insecure,no_root_squash,async,wdelay,no_subtree_check,uuid=deeff5a9:4d0144ae:9b74badc:38c506cb,sec=1)
> From a quick glance at the code--I think that means the server believes
> that the given export is meant to be available using the krb5 flavors
> (krb5, krb5i, krb5p), but that the kernel doesn't support that flavor.
Interesting! Indeed, the increasing number looks like an attempt
at protocol negotiation - I just didn't associate that with krb.
I have built nfs-utils on both server and client without kerberos
support, maybe I should enable that? I'd rather not without a good
reason, though.
> If that's because you've got something like "sec=sys:krb5:krb5i:krb5p"
> set on that export, then that's a little odd and I think worth warning
> about--you've asked the kernel to do something it can't do.
Nothing of the sort. Security is no issue at all since I'm the only user
here.
thanks,
Holger
prev parent reply other threads:[~2016-04-08 19:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 22:38 Strange "SECINFO: security flavor .." messages Holger Hoffstätte
2016-04-08 18:41 ` J. Bruce Fields
2016-04-08 19:04 ` Holger Hoffstätte [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='pan$3f049$c5b0e40$570dbaa6$1e5a0be2@googlemail.com' \
--to=holger.hoffstaette@googlemail.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).