Re: NFS clientaddr, kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jun 22, 2013, at 10:59 AM, James <purpleidea@xxxxxxxxx> wrote:

> Dear NFS experts, I have a few questions:
> 
> 1) Concerning the NFSv4 clientaddr option, I'm curious about the
> technical details of why the server needs a callback address, and what
> to do if the client isn't directly routable? (eg: behind NAT) I am
> thinking of the situation with *many* clients.

If a callback path is not available, the server will not grant delegations to the client.  Delegation is simply a performance optimization.  Normal operation can proceed.

> Also, what ports need to be open on the client? Does it need to respond
> to "NEW" traffic, or only "ESTABLISHED" or ?

Typically the client will choose a port at random.  The client's callback address and port are provided to the server by the NFSv4 SETCLIENTID operation.

The server tests the provided callback arguments with a CB_NULL request (and a new TCP connection) either at mount time or when a client application first opens a file on that server.  If the arguments do not result in a successful CB_NULL, the server simply disables delegation for that client.

You can fix the port the client uses, if you have a firewall in place and want to leave an open port.  A kernel command-line parameter is used on the client:

        nfs.callback_tcpport=
                        [NFS] set the TCP port on which the NFSv4 callback
                        channel should listen.

Although, these days, it may be a per-namespace thing.  A quick browse of the documentation wasn't revealing.

> 2) In /etc/exports, for an NFSv4 export, you often see docs suggesting:
> sec=sys,krb5,krb5i,krb5p OR the same but without the 'sys' part. If you
> instead do 'sec=krb5p' will this *force* clients to use full encryption
> and authentication, and deny those who try to mount without sec=krb5p ?
> In particular, if a client tries to mount with sec=krb5i, what should
> happen? For some reason I haven't seen anyone just use 'sec=krb5p' and I
> wanted to know what was up.

If you specify "sec=krb5p" for an export, clients can mount that export only using sec=krb5p.  Thus a mount command that specifies sec=krb5i should fail with EACCES.

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com




--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux