Re: [PATCH 2/2] NFS: Fall back to AUTH_SYS for SETCLIENTID (take 2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, May 15, 2013 at 12:23:12PM -0400, Chuck Lever wrote:
> 
> On May 15, 2013, at 12:04 PM, "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote:
> 
> > On Mon, May 13, 2013 at 12:25:28PM -0400, Chuck Lever wrote:
> >> Now that commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state
> >> whenever possible" is reverted...
> >> 
> >> NFSv4 server trunking detection was added with commit 05f4c350 "NFS:
> >> Discover NFSv4 server trunking when mounting" in v3.7.  One of the
> >> issues that the reverted commit 4edaa308 tried to address was that
> >> when server trunking detection was added, we broke the ability to
> >> mount krb5 exports when the client has no keytab.
> > 
> > And that happened because we started asking gssd explicitly for a
> > context for a machine principal instead of for uid=0?  Or for some other
> > reason?
> 
> We've asked gssd for a machine credential for SETCLIENTID for a while now, so "some other reason."  I honestly don't know exactly why it stopped working with my change, but someone bisected it to that one.
> 
> But we've always had some issue with the "no keytab" case because we do require a machine credential for SETCLIENTID.  I'm suggesting a fix for the broad class of problems using "sec=krb5?" that arise due to a missing keytab on the client.
> 
> In this case we need the fix sooner rather than later because it stopped working in 3.7.
> 
> > 
> >> We still need to
> >> address that regression.
> >> 
> >> Let's try a narrow approach to re-enabling sec=krb5 mounts without a
> >> local system keytab, and worry about the other issues when we can
> >> plan concomitant user space and kernel changes.
> >> 
> >> When a GSS security flavor is used on a mount, allow the security
> >> flavor for state management to fall back to AUTH_SYS if there is
> >> a problem setting up a GSS context for it.
> > 
> > This brings back the delay in the case gssd isn't running, doesn't it?
> 
> No.  "When a GSS flavor is used" means ONLY when a GSS flavor is used.  We make the minimal assumption that using a GSS flavor for a mount means the administrator either has gssd running or wants to know when it isn't, and can tolerate a delay in that case.

Oh, got it, thanks.--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux