Hi Rick, That's by design (rather that's what spec says? It may be rfc 8881 2.4.3 and probably somewhere else that ops that are done with machine creds must use the same gss flavor? ). All state operations are done with sec=krb5i (if kerberos is configured on the machine) and then other operations are done with whatever flavor was specified on the mount command. On Sun, Apr 2, 2023 at 7:24 PM Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > Hi, > > I've been testing a Linxu 5.15 NFSv4.2 client against a > FreeBSD server to test recently added SP4_MACH_CRED > support in the FreeBSD server. > > I noticed the following oddity, which I thought I'd report > in case it is considered a bug and not a feature. > I do a mount like: > # mount -t nfs -o nfsvers=4,sec=krb5 nfsv4-server:/ /mnt > # > - When looking at the packet capture during the mount, > the ExchangeID, CreateSession and ReclaimComplete > are done with integrity (ie. krb5i) and ExchangeID uses > SP4_MACH_CRED. > - Then, subsequent RPCs do not use integrity, as I would > have assumed, given the "sec=krb5" argument. > However, some subsequent RPCs in the must_allow ops > list for SP4_MACH_CRED choose to use the "machine > principal" and do krb5i. > > It just seems weird that it mixes krb5 and krb5i. I had > not expected it to use SP4_MACH_CRED when > "sec=krb5" was specified. > > However, it seems to work fine this way, so I can see > the argument that this is a "feature" and not a bug. > > Just fyi, rick
