On Wed, Aug 03, 2016 at 03:14:21PM -0400, Chuck Lever wrote: > > On Aug 2, 2016, at 2:06 PM, bfields@xxxxxxxxxxxx wrote: > > You should be able to use the same context with different services. > > > > Apologies, I haven't caught up with the whole discussion above, this one > > point just jumped out at me. If you're trying to request a whole new > > gss context just so you can use, e.g., integrity instead of privacy, > > then something's wrong. > > As I understand it, GSS contexts are fungible until they have been > used. On first use, the context is bound to a particular service. > Subsequently it cannot be used with another service. > > The Solaris server seems to expect that separate GSS contexts are > needed when the same UID employs different GSS services. If Solaris > is wrong about this, can you show me RFC language that specifically > allows it? I can take that back to the Solaris developers. No, you're right, apologies; from https://tools.ietf.org/html/rfc2203 Although clients can change the security service and QOP used on a per-request basis, this may not be acceptable to all RPC services; some RPC services may "lock" the data exchange phase into using the QOP and service used on the first data exchange message. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
