On Tue, 2 Oct 2012 10:33:34 -0400 "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: > I guess you're right. So it starts to sound more like: "you have a > confusing setup. Your export configuration says one thing, and your > filesystem permissions say another. Under NFSv3 the confusion didn't > matter, but now it does--time to fix it." > That's the best I could come to - I'm glad to have it confirmed. Thanks! It is unfortunate that Linux NFS uses an anon credential to mount when krb5 is in use, and uses 'root' when auth_sys is used (which might be anon if "root_squash" is active, but might not). I wonder if it would work to use auth_none for the mount-time lookup, just for consistency.. Is the following appropriate? Is there somewhere better to put this caveat? Thanks, NeilBrown diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index bc1de73..91e4b9c 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -126,6 +126,10 @@ will be enforced only for access using flavors listed in the immediately preceding sec= option. The only options that are permitted to vary in this way are ro, rw, no_root_squash, root_squash, and all_squash. .PP +When RPCSEC_GSS is used with NFSv4, a client will only be able to mount a +directory if that directory and all its ancestors give eXecute access +to "world". +.PP .SS General Options .BR exportfs understands the following export options:
Attachment:
signature.asc
Description: PGP signature