On Wed, 2013-05-15 at 15:52 -0400, J. Bruce Fields wrote: > On Wed, May 15, 2013 at 03:28:27PM -0400, Chuck Lever wrote: > > > > On May 15, 2013, at 1:48 PM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > > > > > On Wed, May 15, 2013 at 01:42:58PM -0400, Chuck Lever wrote: > > >> > > >> On May 15, 2013, at 1:39 PM, "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: > > >> > > >>> By the way, have you looked at SP4_MACH_CRED at all yet? It's a > > >>> selfish question (I could use something to test against), but I > > >>> think it's also what you want if you want krb5i-protected 4.1 state. > > >> > > >> I asked about that recently and was told SP4_MACH_CRED was going the > > >> way of the do do > > > > > > Do you remember who said that? Is the discussion on line somewhere? > > > > No, I mis-remembered. I was thinking of SP4_SSV. > > > > > > > >> (or did I misunderstand the response from the floor?). > > >> > > >> I'm certainly open to exploring other solutions, but I do want to be > > >> practical about it. Will it be supported on other servers besides > > >> Linux? Does SP4_MACH_CRED help for NFSv4.0? > > > > > > I haven't tested other servers. It's a 4.1-only feature. > > > > SP4_MACH_CRED for 4.1 appears useful, but I think we would need to consider: > > > > o whether SP4_MACH_CRED is a broadly implemented feature where Linux > > clients can rely on it being there in typical environments > > I'm assuming it's mandatory for servers to implement. If there is any > example of a released server not implementing SP4_MACH_CRED, I'd like to > know. > > > o how to address the "no keytab" issue for NFSv4.0, which does not > > have SP4_MACH_CRED (that I am aware of) > > > > Andy is probably more interested in seeing SP4_MACH_CRED implemented in the Linux client, as it is one solution for the "user cred expired while there is still dirty data in the client's page cache" problem, I think. > > OK. > > The ability to perform writes using the machine credential is built on > top of SP4_MACH_CRED, but is optional for servers to support. Right, but given that they solve a real problem with secure NFS, I expect that most servers will implement it eventually. For that reason, we will be implementing it on the client. I just need to get the basic NFSv4.1 state management stuff debugged first. -- Trond Myklebust Linux NFS client maintainer NetApp Trond.Myklebust@xxxxxxxxxx www.netapp.com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html