Return-Path: Received: from mailservice.tudelft.nl ([130.161.131.5]:51825 "EHLO mailservice.tudelft.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759327Ab1DPMAx (ORCPT ); Sat, 16 Apr 2011 08:00:53 -0400 Message-ID: <4DA984F2.20600@tudelft.nl> Date: Sat, 16 Apr 2011 14:00:50 +0200 From: Richard Smits To: Myles Uyema CC: linux-nfs Subject: Re: linux / automount not respecting sec=sys parameter when NFS server supports sys:krb5 References: <4DA0F46D.3000909@tudelft.nl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-nfs-owner@vger.kernel.org List-ID: MIME-Version: 1.0 Great tip. We did not knew this... I have tried it and it works great. This will make our admin tasks a lot easier. We also use automount scripts for different mountpoints to different servers. We use an attribute in our AD for this. > However, when a krb5 beta tester accessing any homedir, > Linux and automount will choose to mount that homedir using sec=krb5. How does the automounter makes this choice ? (sys or krb5) Is this a manual setting or an entry in your ldap directory ? Greetings .. Myles Uyema wrote: > Yes, on the filer /etc/exports (and exportfs output) the parameter is > -sec=sys:krb5 > It works generally for mounts listed in /etc/fstab, but automount is a > weird one. > > I believe we have narrowed it down to 2.6.20 kernel behavior. More > news forthcoming with a newer kernel. > > On Sat, Apr 9, 2011 at 5:06 PM, Richard Smits wrote: >> Myles Uyema wrote: >>> We have a Netapp filer (8.0.1) exporting NFSv3 homedirs with -sec=sys:krb5,rw >> This is interesting. Are you making an export on a Netapp filer that is >> "sec=sys" AND "sec=krb5" ? (sys:krb5) >> >> In my experience this doesn't work and you can only make a "sec=sys" >> export OR a "sec=krb5" on the same directory/qtree. >> >> Can you please clarify this ? >> >> Greetings .. Richard Smits >> >>> We have automount using LDAP for homedir mounts, explicitly specifying >>> sec=sys for all users, except for the krb5 beta testers. >>> >>> We are rolling out users with kerberos slowly across our linux >>> machines. However, when a krb5 beta tester accessing any homedir, >>> Linux and automount will choose to mount that homedir using sec=krb5. >>> It's quite apparent that /etc/mtab shows the mount parameter as >>> sec=sys, but /proc/mounts shows the same mount as sec=krb5 >>> >>> /etc/mtab >>> nfstest101:/vol/krbtest01/testuser /home/testuser nfs >>> rw,hard,intr,sec=sys,addr=10.21.127.101 0 0 >>> >>> /proc/mounts >>> nfstest101:/vol/krbtest01/testuser /home/testuser nfs >>> rw,vers=3,rsize=65536,wsize=65536,hard,intr,proto=tcp,timeo=600,retrans=2,sec=krb5,addr=10.21.127.101 >>> 0 0 >>> >>> If testuser then logs in (without a kerberos ticket) they cannot >>> access their own home directory. >>> >>> Why is linux/automount ignoring our explicit sec=sys parameter? >>> >>> Linux 2.6.20 kernel CentOS 5.x >>> Autofs 5.0.1 >>> mount (util-linux 2.13-pre7) >>> MIT-Kerberos 5 >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html