On Tue, 08 Apr 2014 13:27:01 -0400 Simo Sorce <simo@xxxxxxxxxx> wrote: > On Tue, 2014-04-08 at 12:44 -0400, Jeff Layton wrote: > > > > I think that's what happens. We only fall back to using AUTH_SYS if > > nfs_create_rpc_client returns -EINVAL. In the event that the security > > negotiation fails, we should get back -EACCES and that should bubble > > back up to userland. > > > > The real problem is that gssd (and also the krb5 libs themselves) will > > try to canonicalize the name. The resulting host portion of the SPN > > may bear no resemblance to the hostname in the device string. In fact, > > if you mount using an IP address then you're pretty much SOL. > > If you mount by IP do you really care about krb5 ? Probably not, maybe > that's a clue we should not even try ... > It's certainly possible that someone passes in an IP address but then says "-o sec=krb5". It has worked in the past, so it's hard to know whether and how many people actually depend on it. > > I haven't tried it yet, but it looks reasonably trivial to fix gssd > > not to bother with DNS at all and just rely on the hostname. That > > won't stop the krb5 libs from doing their canonicalization though. I'm > > not sure if there's some way to ask the krb5 libs to avoid doing that. > > [libdefaults] > rdns = false > > And I think we change the default to false in Fedora/RHEL lately ... > > Simo. > That's a step in the right direction, but I think that the rdns just makes it skip the reverse lookup. AFAIK, the MIT libs will still do getaddrinfo and scrape out the ai_canonname and use that in preference to the hostname you pass in. -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
