On Jun 28, 2011, at 3:10 PM, J. Bruce Fields wrote:
> On Tue, Jun 28, 2011 at 03:06:40PM -0400, bfields wrote:
>> On Tue, Jun 28, 2011 at 02:25:41PM -0400, Chuck Lever wrote:
>>> There is an undocumented convention (verified by reviewing network
>>> traces from a NetApp filer and a Solaris NFS server) where a server
>>> that returns a mount authflavor list containing an AUTH_NULL entry
>>> is actually indicating it will accept any security flavor for the
>>> export being mounted.
>>
>> This is only in the case of NLM? (Not v4 secinfo?)
> ^^^
> (Sorry, I meant MOUNT !)
Right, this fix is specifically for the kernel's NFSv3 mount client. I expect that SECINFO is probably the area where NFSv4 spec changes might help, but I haven't touched that in these patches.
At some point Bryan, Trond, and I should discuss how we can unify these pieces, and teach them how to determine the list of locally supported authflavors. Maybe this is done already?
>>
>> --b.
>>
>>>
>>> This might be used when the server maps all security flavors into the
>>> same security mode. For example, the server treats all accessors as,
>>> say, UID 17.
>>>
>>> Essentially, AUTH_NULL is treated as a wildcard that matches the
>>> flavor the mounter requested.
>>>
>>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
>>> ---
>>>
>>> fs/nfs/super.c | 15 +++++++++++----
>>> 1 files changed, 11 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
>>> index 4625a4c..543cf9f 100644
>>> --- a/fs/nfs/super.c
>>> +++ b/fs/nfs/super.c
>>> @@ -1570,13 +1570,20 @@ static int nfs_walk_authlist(struct nfs_parsed_mount_data *args,
>>> * the first flavor in the list that it supports, on the
>>> * assumption that the best access is provided by the first
>>> * flavor."
>>> + *
>>> + * By convention we treat AUTH_NULL in the returned list as
>>> + * a wild card. The server will map our requested flavor to
>>> + * something else.
>>> */
>>> - for (i = 0; i < args->auth_flavor_len; i++)
>>> - for (j = 0; j < server_authlist_len; j++)
>>> - if (args->auth_flavors[i] == server->auth_flavs[j]) {
>>> - args->auth_flavors[0] = server->auth_flavs[j];
>>> + for (i = 0; i < server_authlist_len; i++) {
>>> + if (server->auth_flavs[i] == RPC_AUTH_NULL)
>>> + goto out;
>>> + for (j = 0; j < args->auth_flavor_len; j++)
>>> + if (server->auth_flavs[i] == args->auth_flavors[j]) {
>>> + args->auth_flavors[0] = server->auth_flavs[i];
>>> goto out;
>>> }
>>> + }
>>>
>>> dfprintk(MOUNT, "NFS: server does not support requested auth flavor\n");
>>> nfs_umount(server);
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
