• Chuck Lever's avatar
    NFS: Retry SETCLIENTID with AUTH_SYS instead of AUTH_NONE · 79d852bf
    Chuck Lever authored
    Recently I changed the SETCLIENTID code to use AUTH_GSS(krb5i), and
    then retry with AUTH_NONE if that didn't work.  This was to enable
    Kerberos NFS mounts to work without forcing Linux NFS clients to
    have a keytab on hand.
    
    Rick Macklem reports that the FreeBSD server accepts AUTH_NONE only
    for NULL operations (thus certainly not for SETCLIENTID).  Falling
    back to AUTH_NONE means our proposed 3.10 NFS client will not
    interoperate with FreeBSD servers over NFSv4 unless Kerberos is
    fully configured on both ends.
    
    If the Linux client falls back to using AUTH_SYS instead for
    SETCLIENTID, all should work fine as long as the NFS server is
    configured to allow AUTH_SYS for SETCLIENTID.
    
    This may still prevent access to Kerberos-only FreeBSD servers by
    Linux clients with no keytab.  Rick is of the opinion that the
    security settings the server applies to its pseudo-fs should also
    apply to the SETCLIENTID operation.
    
    Linux and Solaris NFS servers do not place that limitation on
    SETCLIENTID.  The security settings for the server's pseudo-fs are
    determined automatically as the union of security flavors allowed on
    real exports, as recommended by RFC 3530bis; and the flavors allowed
    for SETCLIENTID are all flavors supported by the respective server
    implementation.
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    79d852bf
nfs4state.c 58 KB