> On Oct 22, 2024, at 9:50 AM, Patrick M. <s7mon@xxxxxx> wrote: > > > Hi there, > > tried switching to nfs with kernel TLS (mTLS to be specific). > Without xprtsec i was able to use the following options on exports > > "rw,async,all_squash,no_subtree_check,anonuid=1000,anongid=100,fsid=6,sec=sys" > > but both the squashing/mapping-ids seems to conflict with TLS and i wanted to understand if this is by intention or a bug. I don't expect breakage like this, so at least some further triage is needed. Can you open a bug on bugzilla.kernel.org under the Filesystem/NFSD component? You can also verify that this behavior recurs with a 6.11 (or later) kernel on your NFS server. > And if it is by intention of course why - because in my understanding auth and encryption of the mount itself would not contradict with the mapping functionality. > > I now use "rw,async,no_subtree_check,fsid=6,sec=sys,xprtsec=mtls" and it is working. Using no_root_squash also seems to conflict. > > Keeping ID-Mapping i get this on client side > > mount.nfs: Operation not permitted for server:/mnt/target on /mnt/target > > And nothing i could relate as cause on server side (happy to provide specific logs if needed, even with nfsd or rpc flags with rpcdump i could not see a cause). > Tlshd showed also succes in both scenarios (handshake successfull) and i can use all options as well if i remove the xprtsec on server side. > > Client: > Linux 6.11. > nfs-utils-2.7.1 > > Server: > Linux 6.5.52 > nfs-utils-2.7.1 > > Sorry if i missed this in documentation, if so i'd appreciate the hint where i should look in detail > and thanks for this feature! > > > -- > best regards > Patrick M. > -- Chuck Lever
