From: "William A. (Andy) Adamson" Subject: Re: gssapi and nfs4 Date: Wed, 5 Nov 2008 14:40:23 -0500 Message-ID: <89c397150811051140p2f6e1cb1x1960570d19ac5d6d@mail.gmail.com> References: <1225813410.2247.279.camel@brian-laptop> <89c397150811041000l93b9831w1e8dce2175c6d51f@mail.gmail.com> <1225824797.2247.345.camel@brian-laptop> <20081104224817.GB16121@fieldses.org> <1225862729.13506.8.camel@pc.interlinx.bc.ca> <20081105190235.GA969@fieldses.org> <1225912734.3785.40.camel@pc.interlinx.bc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: linux-nfs@vger.kernel.org To: "Brian J. Murrell" Return-path: Received: from qb-out-0506.google.com ([72.14.204.239]:6962 "EHLO qb-out-0506.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752828AbYKETk1 (ORCPT ); Wed, 5 Nov 2008 14:40:27 -0500 Received: by qb-out-0506.google.com with SMTP id e12so892563qbe.1 for ; Wed, 05 Nov 2008 11:40:24 -0800 (PST) In-Reply-To: <1225912734.3785.40.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Wed, Nov 5, 2008 at 2:18 PM, Brian J. Murrell wrote: > On Wed, 2008-11-05 at 14:02 -0500, J. Bruce Fields wrote: > >> Unfortunately that last option's the only practical approach right now. > > Other than exporting / of course. > >> We're working to simplify this. > > Great. > >> If you want to. If you want to just mount the whole of / at one point >> in the client filesystem, you can also do that, and the client will >> automatically mount the filesystems underneath as it traverses into >> them. > > That is cool. > >> > / 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt) >> > /home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check) >> > /d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt) >> > /d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check) >> > >> > and on the clinet: >> > >> > pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server >> > pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home >> > pc # mount -t nfs4 -o sec=krb5 server:/d /d >> > pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub >> > >> > To have /home rw under /mnt/server. It would be there but ro without >> > the second mount, yes? >> > >> > It also appears that for the above case of /d and /d/sub I need the >> > crossmnt option on /d or I don't see anything in /d/sub even though I've >> > exported and mounted it individually. Does this seem like the expected >> > behaviour or a bug? >> >> That's expected. > > But causes a problem as below... > >> > It's important to be able to do because I might >> > want to be able to export /d to certain hosts without giving them access >> > to mountpoints within /d as I have done above with /d/sub and pc. If I >> > use crossmnt which my experience is showing I need, then /d/sub is >> > exposed to all of 10.75.22.0/24 which is not what I want. >> >> If you add a separate export for /d/sub, I think it should override that >> behavior. > > That's what I did and still, I have to use crossmnt on /d and that > exposes /d/sub it to everyone who gets access to /d where my intention > is to only expose /d/sub to the match/limit I put on /d/sub, which is > the single host "pc" in my above scneario. > A better way to limit access is to use ACL's on the directory, which actually make a difference when running kerberos. :) -->Andy > Let me thank you for all of your great answers. > > b. > >