On Tue, 2007-12-04 at 12:09 +1100, Neil Brown wrote:
> On Monday December 3, [email protected] wrote:
> > On Fri, 2007-11-23 at 13:50 +1100, Neil Brown wrote:
> > > Does this (untested, but it compiles) patch seem right?
> >
> > In testing security negotiation, I ran into this problem. I've tried
> > this patch and it doesn't seem to be working right. My exports file is:
> >
> > /export/home gss/krb5i(nohide,insecure,no_subtree_check,no_root_squash,async,rw)
> > /export/home gss/krb5p(nohide,insecure,no_subtree_check,no_root_squash,async,rw)
> > /export gss/krb5(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
> > /export gss/krb5i(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
>
> You don't need the patch for this exports file. It is only relevant
> when the underlying filesystem is not explicitly exported, so the
> export flags a deduced implicitly.
>
> So - this is a separate issue.
Ah, ok.
> > From the client I execute:
> >
> > mount -overs=4,sec=krb5 elm3a19.beaverton.ibm.com:/ /mnt
> > ls -l /mnt/home
>
> ... and what happens?
This is what I get:
# mount -overs=4,sec=krb5 elm3a19.beaverton.ibm.com:/ /mnt
# ls -l /mnt
total 32
-rw-r--r-- 1 nobody nobody 32 Nov 7 15:00 foo
drwxr-xr-x 19 nobody nobody 4096 Dec 3 14:40 home
drwxr-xr-x 2 nobody nobody 4096 Nov 2 17:51 homw2
# ls -l /mnt/home
total 32
-rw-r--r-- 1 nobody nobody 32 Nov 7 15:00 foo
drwxr-xr-x 19 nobody nobody 4096 Dec 3 14:40 home
drwxr-xr-x 2 nobody nobody 4096 Nov 2 17:51 homw2
# ls -l /mnt/homw2
total 0
-rw-r--r-- 1 nobody nobody 0 Nov 2 17:51 foo
# umount /mnt
This is from an AIX client, however, with the new format exports with
the sec= export option, the AIX client works just fine (given the patch
I submitted previously).
Frank Filz
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that [email protected] is being discontinued.
Please subscribe to [email protected] instead.
http://vger.kernel.org/vger-lists.html#linux-nfs
I've done some more exploration, I think the exports are getting set
wrong. First, here is the working case with the new exports format (cut
from an annotated /var/log/messages):
START======================================================
======= cat /etc/exports
/export *(sec=krb5,fsid=0,insecure,no_subtree_check,no_root_squash,async)
/export/home *(sec=krb5,nohide,insecure,no_subtree_check,no_root_squash,async)
======= mount -overs=4,sec=krb5 elm3a19.beaverton.ibm.com:/ /mnt
Dec 7 10:47:20 elm3a19 mountd[4691]: cache_export_ent domain=*, exp path=/export, path=/export
Dec 7 10:47:20 elm3a19 mountd[4691]: dump_to_cache path=/export, exp path=/export
======= ls -l /mnt
Dec 7 10:47:22 elm3a19 mountd[4691]: nfsd_export domain=*, path=/export/home, exp path=/export/home
Dec 7 10:47:22 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export/home
Dec 7 10:47:23 elm3a19 mountd[4691]: cache_export_ent domain=*, exp path=/export/home, path=/export/home
Dec 7 10:47:23 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export/home
======= umount /mnt
==========================
Dec 7 10:47:28 elm3a19 rpc.idmapd[2471]: nfsdcb: authbuf=gss/krb5 authtype=user
Dec 7 10:47:28 elm3a19 rpc.idmapd[2471]: nfsdcb: authbuf=gss/krb5 authtype=group
======= ls -l /mnt/home
======= umount /mnt
END=======================================================
And then here is the non-working form with the old exports format:
START======================================================
======= cat /etc/exports
/export/home gss/krb5i(nohide,insecure,no_subtree_check,no_root_squash,async,rw)
/export/home gss/krb5p(nohide,insecure,no_subtree_check,no_root_squash,async,rw)
/export gss/krb5(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
/export gss/krb5i(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
======= mount -overs=4,sec=krb5 elm3a19.beaverton.ibm.com:/ /mnt
Dec 7 10:46:53 elm3a19 mountd[4691]: cache_export_ent domain=gss/krb5, exp path=/export, path=/export
Dec 7 10:46:53 elm3a19 mountd[4691]: dump_to_cache path=/export, exp path=/export
======= ls -l /mnt
Dec 7 10:46:55 elm3a19 mountd[4691]: nfsd_export domain=gss/krb5, path=/export/home, exp path=/export
Dec 7 10:46:55 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export
Dec 7 10:46:56 elm3a19 mountd[4691]: cache_export_ent domain=gss/krb5, exp path=/export, path=/export/home
Dec 7 10:46:56 elm3a19 mountd[4691]: dump_to_cache path=/export, exp path=/export
Dec 7 10:46:56 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export
======= umount /mnt
==========================
======= ls -l /mnt/home
======= umount /mnt
END=======================================================
I see that the way mountd caches the /exports/home export is different
between the two cases, with the non-working old exports format case
caching a path of /export/home but using the /export export.
p.s. I am using nfs-utils-1.1.1 for this, and applied the previously
mentioned crossmount patch.
Oh, and just for completeness, here is implicit exporting via crossmnt,
with the same result:
START======================================================
======= cat /etc/exports
/export
gss/krb5(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
/export
gss/krb5i(fsid=0,insecure,no_subtree_check,no_root_squash,async,rw,crossmnt)
======= mount -overs=4,sec=krb5 elm3a19.beaverton.ibm.com:/ /mnt
Dec 7 11:00:22 elm3a19 mountd[4691]: cache_export_ent domain=gss/krb5, exp path=/export, path=/export
Dec 7 11:00:22 elm3a19 mountd[4691]: dump_to_cache path=/export, exp path=/export
Dec 7 11:00:22 elm3a19 rpc.idmapd[2471]: nfsdcb: authbuf=gss/krb5 authtype=user
Dec 7 11:00:22 elm3a19 rpc.idmapd[2471]: nfsdcb: authbuf=gss/krb5 authtype=group
======= ls -l /mnt
Dec 7 11:00:24 elm3a19 mountd[4691]: nfsd_export domain=gss/krb5, path=/export/home, exp path=/export
Dec 7 11:00:24 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export
Dec 7 11:00:25 elm3a19 mountd[4691]: cache_export_ent domain=gss/krb5, exp path=/export, path=/export/home
Dec 7 11:00:25 elm3a19 mountd[4691]: dump_to_cache path=/export, exp path=/export
Dec 7 11:00:25 elm3a19 mountd[4691]: dump_to_cache path=/export/home, exp path=/export
======= umount /mnt
==========================
======= ls -l /mnt/home
======= umount /mnt
END=======================================================
Looks the same as with the explicit exporting.
Any suggestions or thoughts?
Thanks
Frank Filz
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that [email protected] is being discontinued.
Please subscribe to [email protected] instead.
http://vger.kernel.org/vger-lists.html#linux-nfs