From owner-freebsd-fs@FreeBSD.ORG Sun Apr 29 15:46:09 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 047E2106566B for ; Sun, 29 Apr 2012 15:46:09 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id AE3818FC12 for ; Sun, 29 Apr 2012 15:46:08 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2030253vcm.13 for ; Sun, 29 Apr 2012 08:46:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ipJ2z+Um8zThi8M8SejwmseeHkSEpXX43T4tyM6Bp1Y=; b=Kc8yA+a8m+XJ046GGNpOCXnC31bznHxOhAjPhNLNzZG31Q+hYdwVQ2lUZ6kIihJHjZ 4E4wpE9FJmDi8YxyV8pCed1QfLiFMA4gam0sV6aIarDWw1HpnsN8SLTBMajHD8iZrS/Y TCz9BS4g1rCg5t98kYcl5BS6agmnbsqn5matxnh1LHFb/ZaC5Y4INMBdR2BATA+Az20+ Zb8IIe2qarksIlELBNAF/Narqg2/UbSRsNWyMqJSVp/5KeGpROwD1/38OPZgCfNkbM8Q n/JEq4iyLcLoy5FRsJ9ChKrLtdI2tY3P++hGL7RlX9ZW9TAGMXavLvOSzIJeTF0pqpyo N71Q== MIME-Version: 1.0 Received: by 10.220.156.10 with SMTP id u10mr18762794vcw.20.1335714367964; Sun, 29 Apr 2012 08:46:07 -0700 (PDT) Received: by 10.52.66.239 with HTTP; Sun, 29 Apr 2012 08:46:07 -0700 (PDT) In-Reply-To: <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca> References: <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca> Date: Sun, 29 Apr 2012 11:46:07 -0400 Message-ID: From: Robert Simmons To: freebsd-fs@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: NFSv4 Questions X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2012 15:46:09 -0000 On Sun, Apr 29, 2012 at 9:09 AM, Rick Macklem wrote: > Robert Simmons wrote: >> I've been digging and digging to find sources to clarify the >> exports(5) man page with no luck. What I have read differs from what >> I see on my server. From the man page examples section: >> >> V4: / -sec=krb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255.0 >> >> Now, here is what I have put as an experiment to try to understand >> what's happening here (my /etc/exports): >> >> V4: / -sec=krb5 -network 192.168.1 -mask 255.255.255.0 >> / >> >> In this case, -sec=krb5 is totally ignored. I can mount / using sys. >> > The "-sec=krb5" restriction applies to state related operations that don't > use file handles. > The FreeBSD mount doesn't do any of those, so it is the options on the second line > "/" that control whether or not the mount succeeds. > > With the above exports, the first Open of a file should fail when attempted via auth_sys, > at least for the FreeBSD client. (The FreeBSD client doesn't try and establish > state via SetClientID until the first Open. Some other clients do so at mount time.) > > I know this is ugly, but I thought it would be confusing to have the semantics > of the other export lines (like "/") different for NFSv4 than NFSv2,3. For NFSv2,3 > all RPCs involve a file handle, so they can be associated with a server volume. > For NFSv4, this is not the case, since some state related operations > (SetClientID/SetClientIDConfirm/Renew and maybe a couple of others) do not use > a file handle and, as such, can't be associated with an exported volume. I put > the options in the "V4:" for those, since I couldn't think of where else to put > them. I think a rewrite of exports(5) might help out quite a lot. Especially if the EXAMPLES section was scrapped entirely and replaced with a set of examples each one more granular in explaining one feature or use case instead of lumping all of it into explaining one huge export file. Since I'm working on setting up a pair of NFS servers with a set of clients, I volunteer. May I contact you offlist if I have questions? >> If I use this: >> >> V4: / >> / -sec=krb5 >> >> It requires proper kerberos authentication. >> > Yep, as explained above. If you really want to restrict NFSv4 use to kerberos, > then you should put the "-sec=krb5" on the V4: line and all lines exporting > volumes. For example: > V4: / -sec=krb5 > / -sec=krb5 Got it. >> My next question is can I reject NFSv3/v2 clients/connections? >> > sysctl vfs.nfsd.server_min_nfsvers=4 Perfect. >> Third question is: how can I disable rpcbind? It seems that the >> following does not work in rc.conf: >> rpcbind_enable="NO" >> When I'm running NFSv4 rpcbind is not needed, but it seems that mountd >> always starts rpcbind no matter what I do: >> /etc/rc.d/rpcbind stop >> is the only way to do it, and that is only after boot, or mountd >> starting. >> _ > Yea, I suppose there should be a -nfsv4-only option on mountd, so it > knows that it only needs to do exports and doesn't need rpcbind. > Since you are probably the first person wanting an NFSv4 only server, > I hadn't thought to do this. I'll put it on my "to do" list. If I may, perhaps a switch in /etc/rc.conf: nfsv4_only="YES" This would set the -nfsv4-only switch you mention for mountd, and it would set vfs.nfsd.server_min_nfsvers=4 This would be exactly what I'm looking for. Thanks for your help!