From: "bc Wong" Subject: Re: [PATCH] nfs-utils: Handle authentication flavour order properly Date: Fri, 7 Mar 2008 11:38:57 -0800 Message-ID: References: <629ABBF6-C368-44AC-B4B9-471296229325@oracle.com> <47D18983.4080507@redhat.com> <47D19336.9010903@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: "Chuck Lever" , trond.myklebust@fys.uio.no, linux-nfs@vger.kernel.org To: "Peter Staubach" Return-path: Received: from wa-out-1112.google.com ([209.85.146.178]:58879 "EHLO wa-out-1112.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754565AbYCGTi6 (ORCPT ); Fri, 7 Mar 2008 14:38:58 -0500 Received: by wa-out-1112.google.com with SMTP id v27so733018wah.23 for ; Fri, 07 Mar 2008 11:38:58 -0800 (PST) In-Reply-To: <47D19336.9010903@redhat.com> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Fri, Mar 7, 2008 at 11:10 AM, Peter Staubach wrote: > > bc Wong wrote: > > On Fri, Mar 7, 2008 at 10:29 AM, Peter Staubach wrote: > > > >> Actually, NFS servers that support AUTH_NONE, map the uid and gid to the > >> anonymous uid and gids for access to file systems which are exported > >> AUTH_NONE. It doesn't seem to matter what authentication flavor that > >> the client uses. > >> > >> ps > >> > > > > Hi Peter, > > > > My concern is that a server supports both AUTH_SYS and AUTH_NONE, > > where AUTH_SYS would give you the regular access, and AUTH_NONE > > would give the anon access as you described, which is typically a > > degraded read-only view. Therefore it's bad for the client to choose > > AUTH_NONE in this case, especially since the server presents > > AUTH_SYS *before* AUTH_NONE. > > > > I'll test more with AUTH_NONE on Solaris. Is there any specific setup > > you'd like me to verify? > > Do you know of any client NFS implementations that can actually generate > requests with AUTH_NONE as the authentication flavor? Which server > implementation supports the mode that you described? Hi Peter, Linux does that. 2.6.22. The reason I submitted this patch is that I ran into this bug. My server advertises (AUTH_SYS, AUTH_NONE), with AUTH_NONE giving degraded access. The older clients are ok, since mount.nfs enforces the AUTH_SYS default. Then a new client (2.6.22) came in and I went scratching my head why it's using AUTH_NONE. Cheers, bc > As far as I know, all servers, which support exporting with AUTH_NONE, > always map the incoming uid and gid(s) to the anonymous uid and gid when > they process the request for a file system which is exported with AUTH_NONE. > It doesn't seem to matter what the incoming authentication flavor was. > > Thanx... > > ps >