From: "Brian J. Murrell" Subject: Re: gssapi and nfs4 Date: Tue, 04 Nov 2008 13:53:17 -0500 Message-ID: <1225824797.2247.345.camel@brian-laptop> References: <1225813410.2247.279.camel@brian-laptop> <89c397150811041000l93b9831w1e8dce2175c6d51f@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain To: linux-nfs@vger.kernel.org Return-path: Received: from server.klug.on.ca ([205.189.48.131]:2996 "EHLO server.klug.on.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752237AbYKDSxU (ORCPT ); Tue, 4 Nov 2008 13:53:20 -0500 Received: from linux.interlinx.bc.ca (d193-213-184.home3.cgocable.net [67.193.213.184]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.klug.on.ca (Postfix) with ESMTP id 20A142803 for ; Tue, 4 Nov 2008 13:53:19 -0500 (EST) Received: from [10.75.22.172] (brian-laptop.ilinx [10.75.22.172]) by linux.interlinx.bc.ca (Postfix) with ESMTP id 645FE800A for ; Tue, 4 Nov 2008 13:53:17 -0500 (EST) In-Reply-To: <89c397150811041000l93b9831w1e8dce2175c6d51f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Tue, 2008-11-04 at 13:00 -0500, William A. (Andy) Adamson wrote: > Hi Hello, > In general, the instructions at the CITI web site will be useful. > > From http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html: > > Mounting and exporting krb5 > > To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. Indeed. > To export a filesystem using krb5, add the export option "sec=krb5". > (Note: if your kernel is older than 2.6.23, or nfs-utils older than > 1.1.1, you will instead need to export to a special client named > "gss/krb5".) Ahhh. This, I did not know. > So instead of using the old "gss/krb5" which indeed did replace the > ip/netmasks list, you can now specify the use of gssapi with an export > option, and still set ip/netmasks. Cool. I think it's still useful to be able to provide some exports as ro (i.e. forced ro by the server) to some machines (and rw to others) even with gssapi, yes? I did notice the bit of text about the single pseudo filesystem. Given that on my server, I exported a number of filesystems, including / to privileged (I'm in a very small and trusted environment) clients, it seemed natural to just set / to fsid 0. I also exported the few other exports I wanted some nfs4 clients to mount as such: / gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534) /home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534) /mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534) /mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534) where those are all on different filesystems on the server. I'm starting to feel like this is not how it's supposed to be done. b.