Re: AUTH_NONE at top of SECINFO_NONAME reply.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 4/19/16, 17:24, "NeilBrown" <linux-nfs-owner@xxxxxxxxxxxxxxx on behalf of neilb@xxxxxxxx> wrote:

>On Tue, Apr 19 2016, J. Bruce Fields wrote:
>
>> On Thu, Apr 14, 2016 at 09:33:22AM +1000, NeilBrown wrote:
>>>  I have an NFSv4.1 server (Netapp, don't know about version numbers)
>>>  which responds to
>>>     PUT_ROOTFH
>>>     SECINFO_NONAME
>>> 
>>> with:
>>> 
>>> flavor: AUTH_NULL (0)
>>> flavor: RPCSEC_GSS (6)
>>>     service: rpcsec_gss_svc_integrity (2)
>>> flavor: RPCSEC_GSS (6)
>>>     service: rpcsec_gss_svc_none (1)
>>> flavor: AUTH_UNIX (1)
>>> 
>>> This causes the Linux client to use AUTH_NULL, which doesn't end well
>>>    Opcode: ACCESS (3), [Access Denied: RD LU MD XT DL]
>>> 
>>> I suspect this is a server bug, because the first flavor is meant to be
>>> the most preferred.  However I wonder if there might be something else
>>> going on.
>>> 
>>> 1/ I note that for NFSv3 AUTH_NULL means something a bit different
>>>   in this context:
>>> 
>>> 	 * AUTH_NULL has a special meaning when it's in the server list - it
>>> 	 * means that the server will ignore the rpc creds, so any flavor
>>> 	 * can be used.
>>> 
>>>   Is there any chance that servers might reasonably expect that
>>>   behavior for NFSv4.1 as well??
>>
>> I'll admit it seems a trap for the unwary implementor, but I think this
>> case is really clear:
>>
>> 	http://tools.ietf.org/html/rfc5661#section-18.29.3
>>
>> 	The result will contain an array that represents the security
>> 	mechanisms available, with an order corresponding to the
>> 	server's preferences, the most preferred being first in the
>> 	array.  The client is free to pick whatever security mechanism
>> 	it both desires and supports, or to pick in the server's
>> 	preference order the first one it supports.
>>
>> So we should be leaning on the server vendor to fix and/or explain
>> what's going on there.
>
>That was the direction I was leaning, but it is nice to have it
>confirmed - particularly given the interesting rules with NFSv3.
>
>My colleague subsequently discovered that there were setting on the
>Netapp which could change the behavior.   He fiddled things and the
>problem went away, but he noted:
>
>	On the netapp side, I have three of these settings: rorule,rwrule,superuser, and for
>	each of these I can set
>	from the list: "any   none  krb5  krb5i ntlm  sys". So with
>	"ro=sys,rw=none,superuser=any" I'm still in the
>	situation where I can get the AUTH_NULL first ...
>
>("AUTH_NULL first" being the problematic situation).
>I wonder if "none" means "no authentication needed" or "no access
>given".

A certain thomas@xxxxxxxxxx explained the behaviour thus:

 https://www.ietf.org/mail-archive/web/nfsv4/current/msg09743.html

Cheers
  Trond
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux