On Jun 22, 2013, at 10:59 AM, James <purpleidea@xxxxxxxxx> wrote: > Dear NFS experts, I have a few questions: > > 1) Concerning the NFSv4 clientaddr option, I'm curious about the > technical details of why the server needs a callback address, and what > to do if the client isn't directly routable? (eg: behind NAT) I am > thinking of the situation with *many* clients. If a callback path is not available, the server will not grant delegations to the client. Delegation is simply a performance optimization. Normal operation can proceed. > Also, what ports need to be open on the client? Does it need to respond > to "NEW" traffic, or only "ESTABLISHED" or ? Typically the client will choose a port at random. The client's callback address and port are provided to the server by the NFSv4 SETCLIENTID operation. The server tests the provided callback arguments with a CB_NULL request (and a new TCP connection) either at mount time or when a client application first opens a file on that server. If the arguments do not result in a successful CB_NULL, the server simply disables delegation for that client. You can fix the port the client uses, if you have a firewall in place and want to leave an open port. A kernel command-line parameter is used on the client: nfs.callback_tcpport= [NFS] set the TCP port on which the NFSv4 callback channel should listen. Although, these days, it may be a per-namespace thing. A quick browse of the documentation wasn't revealing. > 2) In /etc/exports, for an NFSv4 export, you often see docs suggesting: > sec=sys,krb5,krb5i,krb5p OR the same but without the 'sys' part. If you > instead do 'sec=krb5p' will this *force* clients to use full encryption > and authentication, and deny those who try to mount without sec=krb5p ? > In particular, if a client tries to mount with sec=krb5i, what should > happen? For some reason I haven't seen anyone just use 'sec=krb5p' and I > wanted to know what was up. If you specify "sec=krb5p" for an export, clients can mount that export only using sec=krb5p. Thus a mount command that specifies sec=krb5i should fail with EACCES. -- Chuck Lever chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html