> On Apr 6, 2018, at 12:07 PM, Orion Poplawski <orion@xxxxxxxx> wrote: > > On 04/03/2018 09:44 AM, Orion Poplawski wrote: >> Kernel is 3.10.0-693.21.1.el7.x86_64 I don't have Red Hat support for these >> systems. >> >> I discovered that I'd been forcing vers=4.0 mounts in order to work around a >> mounting issue. > > And I'm back to seeing the mount issue at boot. Here's the situation - we're > forcing kerberos on the public network, but allowing sec=sys on some private > networks: > > /etc/exports: > / -ro,async,fsid=0 192.168.1.0/24(sec=sys) > 192.168.2.0/24(sec=sys) *.nwra.com(sec=krb5) > /export/home -rw,async,nohide 192.168.1.0/24(sec=sys) > 192.168.2.0/24(sec=sys) *.nwra.com(sec=krb5) > > So for a while after boot, attempts to mount with sec=sys fail: > > # mount -t nfs4 -s -o > sec=sys,intr,rsize=262144,wsize=262144,noatime,lookupcache=positive,actimeo=1 > earthib.cora.nwra.com:/export/home/greg /mnt > mount.nfs4: Operation not permitted > > But then later they work: > > # mount -t nfs4 -s -o > sec=sys,intr,rsize=262144,wsize=262144,noatime,lookupcache=positive,actimeo=1 > earthib.cora.nwra.com:/export/home/greg /mnt > # umount /mnt > > This can cycle back and forth. > > I've attached a packet capture of some failed mount attempts. It seems that > even with specifying sec=sys, some kerberos stuff is going on. > > It appears to be related to mounting a different sec=krb5 mount over the > public network from the same server. While that mount is active, the sec=sys > mounts fail. When it is unmounted, they work. At least now I think I can > work around this... For NFSv4, the client is going to use krb5i to do lease management even on sec=sys mounts. An NFSv4 server has to know for sure when it is talking to the same client on different network interfaces or with different security flavors. Thus the client has to use the same security flavor for lease management on all of its mounts of that server. That's not controlled by the sec= mount option. I assume that "but then later" lasts only a few multiples of the server's lease time (90 seconds by default)? Clients that use only the private network interface should be able to use sec=sys. But clients that use both the public and private interfaces should need to use sec=krb5 on both. -- Chuck Lever -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html