On 08/11/13 11:27, Weston Andros Adamson wrote: > > On Nov 8, 2013, at 10:00 AM, Steve Dickson <SteveD@xxxxxxxxxx> wrote: > >> What server makes krb5i available today in state setup and pseudoroot lookups? > > Linux nfsd, among others… > > The real issue I see here is what Trond was mentioning earlier - the order of multiple mounts of the same server matters, i.e.: > > 1) mount sec=krb5i server:/foo /mnt1 > 2) mount sec=sys server:/foo /mnt2 > > This leads to the state operations to server using krb5i, but: > > 1) mount sec=sys server:/foo /mnt2 > 2) mount sec=krb5i server:/foo /mnt1 > > this leads to the state operations to server using AUTH_SYS. yuck. > > I don’t think we can just upgrade the state connection from AUTH_SYS to krb5i > when this happens, that is why we try krb5i first, then fall back to AUTH_SYS. Excellent explanation! Thanks you! But... ;-) This assumes the admin is actually trying to krb5i which means he/she has set up a functioning Kerberos environment. But we can't assume every client has a valid Kerberos environment, which is what the code is doing today! steved. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
