On Tue, Aug 07, 2012 at 03:59:09PM +0000, Myklebust, Trond wrote: > Yes, you can do this, however that requires the server to be configured > to accept rpcsec_gss and auth_sys from that client. > It also allows anyone to spoof a callback to your client. > Furthermore, it would allow anybody to send SETCLIENTID calls using the > same client id to the server and so they can declare your client to have > rebooted (so that all state is lost), they can divert callbacks to > another machine, .... > IOW: it is not really something you want to allow on an untrusted > network. well, ok, thanks for anwsers. However, it seems that while NFS server's name is server-home.domain.com (floating name), and true hostname is server1.domain.com, it does not matter that callback is authenticated with server1.domain.com instead of server-home.domain.com. Is this expected? Or is it a bug? I would suppose that client rejects authentication of the backchannel from server that sends nfs/server1.domain.com KRB principal instead of expected nfs/server-home.domain.com. The client mounts server-home.domain.com with sec=krb5i. Using debugs I can see that the server picks up nfs/server1.domain.com key from /etc/krb5.keytab and the client seems to be happy with that (context is established). -- Lukáš Hejtmánek -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
