On Tue, 04 Jun 2013 20:56:31 -0400 Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" > Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, > which forces our NFS client to establish a client ID immediately > during a mount operation rather than waiting until a user wants to > open a file. > > Normally machine credentials (eg. from a keytab) are used to perform > a mount operation that is protected by Kerberos. Before 05f4c350, > SETCLIENTID uses a machine credential, or falls back to a regular > user's credential if no keytab is available. > > 05f4c350 seems to have broken the ability to mount with sec=krb5 on > clients that don't have a keytab. Performing SETCLIENTID early > means there may be no user credential to fall back on, since during > system initialization no regular user has kinit'd yet. > > Typically, root is required to kinit in this situation anyway to > make a sec=krb5 mount work. So, the kernel should try to use root's > credential for lease management if there's no keytab. > > The new logic should cause the root credential to be tried only > after both the machine cred and a user cred are found to be > unavailable. > > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> > --- > > Hi Neil- > > Here's a wacky idea to continue our conversation. Tested just > enough to confirm it may do something useful. Applies to 3.7. > Something similar might work for 3.8 and 3.9. > Thanks Chuck! Looks interesting. I'll see if I can get it tested by someone who actually depends on this working. I'll let you know how it goes. NeilBrown
Attachment:
signature.asc
Description: PGP signature
