On Tue, Aug 07, 2012 at 18:12:11 +0200, Lukas Hejtmanek wrote:
> well, ok, thanks for anwsers. However, it seems that while NFS server's name
> is server-home.domain.com (floating name), and true hostname is
> server1.domain.com, it does not matter that callback is authenticated with
> server1.domain.com instead of server-home.domain.com.
>
> Is this expected? Or is it a bug?
It does matter, callback client name must match the name NFS client uses
for server.
We don't see any hard failures because NFS protocol does
not depend on working callback RPCs, but no delegations are granted
(we had nfs-kernel-server package installed on clients before which masked
the bug).
> I would suppose that client rejects authentication of the backchannel from
> server that sends nfs/server1.domain.com KRB principal instead of expected
> nfs/server-home.domain.com.
>
> The client mounts server-home.domain.com with sec=krb5i. Using debugs I can
> see that the server picks up nfs/server1.domain.com key from /etc/krb5.keytab
> and the client seems to be happy with that (context is established).
Server name is checked later, when the context is used for actual callback RPC.
Best regards,
Zdenek Salvet salvet@xxxxxxxxxxx
Institute of Computer Science of Masaryk University, Brno, Czech Republic
and CESNET, z.s.p.o., Prague, Czech Republic
Phone: ++420-549 49 6534 Fax: ++420-541 212 747
----------------------------------------------------------------------------
Teamwork is essential -- it allows you to blame someone else.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
