Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Apr 2012 11:46:07 -0400
From:      Robert Simmons <rsimmons0@gmail.com>
To:        freebsd-fs@freebsd.org
Subject:   Re: NFSv4 Questions
Message-ID:  <CA%2BQLa9B4Xxc-4pCo8y4pgU1BBoBvC2xG4vA3Kydr-Q2dXWRpNw@mail.gmail.com>
In-Reply-To: <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca>
References:  <CA%2BQLa9A-ZzupAaLxiuc_0uGYyOOmgcYfxE8SH5cxzMR8gxOGpQ@mail.gmail.com> <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 29, 2012 at 9:09 AM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> Robert Simmons wrote:
>> I've been digging and digging to find sources to clarify the
>> exports(5) man page with no luck. What I have read differs from what
>> I see on my server. From the man page examples section:
>>
>> V4: / -sec=krb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255.0
>>
>> Now, here is what I have put as an experiment to try to understand
>> what's happening here (my /etc/exports):
>>
>> V4: / -sec=krb5 -network 192.168.1 -mask 255.255.255.0
>> /
>>
>> In this case, -sec=krb5 is totally ignored. I can mount / using sys.
>>
> The "-sec=krb5" restriction applies to state related operations that don't
> use file handles.
> The FreeBSD mount doesn't do any of those, so it is the options on the second line
> "/" that control whether or not the mount succeeds.
>
> With the above exports, the first Open of a file should fail when attempted via auth_sys,
> at least for the FreeBSD client. (The FreeBSD client doesn't try and establish
> state via SetClientID until the first Open. Some other clients do so at mount time.)
>
> I know this is ugly, but I thought it would be confusing to have the semantics
> of the other export lines (like "/") different for NFSv4 than NFSv2,3. For NFSv2,3
> all RPCs involve a file handle, so they can be associated with a server volume.
> For NFSv4, this is not the case, since some state related operations
> (SetClientID/SetClientIDConfirm/Renew and maybe a couple of others) do not use
> a file handle and, as such, can't be associated with an exported volume. I put
> the options in the "V4:" for those, since I couldn't think of where else to put
> them.

I think a rewrite of exports(5) might help out quite a lot.
Especially if the EXAMPLES section was scrapped entirely and replaced
with a set of examples each one more granular in explaining one
feature or use case instead of lumping all of it into explaining one
huge export file.

Since I'm working on setting up a pair of NFS servers with a set of
clients, I volunteer.  May I contact you offlist if I have questions?

>> If I use this:
>>
>> V4: /
>> / -sec=krb5
>>
>> It requires proper kerberos authentication.
>>
> Yep, as explained above. If you really want to restrict NFSv4 use to kerberos,
> then you should put the "-sec=krb5" on the V4: line and all lines exporting
> volumes. For example:
> V4: / -sec=krb5
> / -sec=krb5

Got it.

>> My next question is can I reject NFSv3/v2 clients/connections?
>>
> sysctl vfs.nfsd.server_min_nfsvers=4

Perfect.

>> Third question is: how can I disable rpcbind? It seems that the
>> following does not work in rc.conf:
>> rpcbind_enable="NO"
>> When I'm running NFSv4 rpcbind is not needed, but it seems that mountd
>> always starts rpcbind no matter what I do:
>> /etc/rc.d/rpcbind stop
>> is the only way to do it, and that is only after boot, or mountd
>> starting.
>> _
> Yea, I suppose there should be a -nfsv4-only option on mountd, so it
> knows that it only needs to do exports and doesn't need rpcbind.
> Since you are probably the first person wanting an NFSv4 only server,
> I hadn't thought to do this. I'll put it on my "to do" list.

If I may, perhaps a switch in /etc/rc.conf:
nfsv4_only="YES"

This would set the -nfsv4-only switch you mention for mountd, and it
would set vfs.nfsd.server_min_nfsvers=4

This would be exactly what I'm looking for.

Thanks for your help!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9B4Xxc-4pCo8y4pgU1BBoBvC2xG4vA3Kydr-Q2dXWRpNw>