On Sun, Jun 14, 2009 at 07:53:25PM +0200, Sascha Frey wrote: > Hi, > > we have some Linux NFS servers distributing our users' homes to our > clients. > > We are using NIS netgroups to restrict access to certain NFS shares. > Our /etc/exports file looks like this: > /var/lib/nfs/v4root \ > *(ro,fsid=0,insecure,no_subtree_check) > /export/homes \ > -rw,async,insecure,no_subtree_check @netgroupA > /var/lib/nfs/v4root/export/homes \ > -rw,async,insecure,nohide,no_subtree_check @netgroupA > > (/export/homes is bind-mounted to /var/lib/nfs/v4root/export/homes to > have the same path for NFSv3 and v4 exports.) > > Now we need to export some of the home directories to an additional > group of hosts. So we added two lines for each one of these 'special > cases' to the exports file: > > /export/homes/usera \ > -rw,async,insecure,no_subtree_check @netgroupA @netgroupB > /var/lib/nfs/v4root/export/homes/usera \ > -rw,async,insecure,nohide,no_subtree_check @netgroupA @netgroupB > > Our Problem: > Hosts, which are member of netgroupB, are unable to mount > server:/export/homes/usera, if using NFSv4: > client:~# mount -t nfs4 server:/export/homes/usera /mnt > mount.nfs4: mounting server:/export/homes/usera failed, reason given by > server: > No such file or directory > > NFSv3 mount works (-t nfs)... > > We can't export the whole homes-tree to netgroupB. Adding entries in > /etc/exports isn't a good idea either (we have more than 2000 home > directories). > > > Is there any chance to get this working without setting up export > entries for each single home directory? Exports really only work well on a whole-filesystem basis. The server is not good at distinguishing between different subtrees of the same filesystem. Note also: in the above situation, a malicious user in netgroupB can probably access anything in /export/homes. You can fix that by changing no_subtree_check to subtree_check, but that may cause unexpected stale filehandle errors on renaming files (because it causes the filehandle of a file to change depending on which directory it is contained in). --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
