On Tue, 2014-04-08 at 12:44 -0400, Jeff Layton wrote: > > I think that's what happens. We only fall back to using AUTH_SYS if > nfs_create_rpc_client returns -EINVAL. In the event that the security > negotiation fails, we should get back -EACCES and that should bubble > back up to userland. > > The real problem is that gssd (and also the krb5 libs themselves) will > try to canonicalize the name. The resulting host portion of the SPN > may bear no resemblance to the hostname in the device string. In fact, > if you mount using an IP address then you're pretty much SOL. If you mount by IP do you really care about krb5 ? Probably not, maybe that's a clue we should not even try ... > I haven't tried it yet, but it looks reasonably trivial to fix gssd > not to bother with DNS at all and just rely on the hostname. That > won't stop the krb5 libs from doing their canonicalization though. I'm > not sure if there's some way to ask the krb5 libs to avoid doing that. [libdefaults] rdns = false And I think we change the default to false in Fedora/RHEL lately ... Simo. -- Simo Sorce * Red Hat, Inc * New York -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html