On Tue, 2013-11-12 at 22:46 -0500, J. Bruce Fields wrote: +AD4- OK, but it still seems dumb to even attempt the reverse lookup: the +AD4- lookup probably isn't secure, and the mount commandline should have a +AD4- name that we can match to a krb5 principal without needing any other +AD4- lookups. +AD4- +AD4- So I'd think reasonable behavior in this case would be to just try the +AD4- IP address on the chance there's actually an nfs/x.y.z.w+AEA-REALM +AD4- principal. (Or just fail outright if kerberos doesn't allow principals +AD4- that look like that.) Looking through the krb5.conf manpage etc it looks as if a lot of this functionality should be covered by the krb protocol itself without us needing to do explicit reverse lookups in rpc.gssd. I'm thinking of the 'canonicalize' and 'rdns' options, for instance. Am I wrong? -- Trond Myklebust Linux NFS client maintainer NetApp Trond.Myklebust+AEA-netapp.com www.netapp.com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
