On Sat, Aug 20, 2011 at 08:35:43AM +1000, paul.szabo@xxxxxxxxxxxxx wrote: > Dear Andy, > > > Note that only AUTH_SYS sends GID and GID lists in the rpc_cred. > > RPCSEC_GSS with Kerberos only sends the krb5 principal to the server. > > The server looks up group membership via nsswitch - either /etc/groups > > ... > > Can the server be set so as to ignore any AUTH_SYS sends, and accept > RPCSEC_GSS only? Add something like sec=krb5:krb5i:krb5p to all your exports. > > idmapd only deals with groups when a SETATTR arrives with ACE who's that > > are group names where it maps the groupname@domain to a gid, or a > > GETATTR ACL request where it maps gid->groupname@domain > > Can the server be set so as to ignore any attempts from the client to > set group memberships, but always set its own from /etc/group? Use kerberos, or run mountd with the --manage-gids option. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
