Date: Sun, 29 Apr 2012 09:09:59 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Robert Simmons <rsimmons0@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 Questions Message-ID: <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <CA%2BQLa9A-ZzupAaLxiuc_0uGYyOOmgcYfxE8SH5cxzMR8gxOGpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Simmons wrote: > I've been digging and digging to find sources to clarify the > exports(5) man page with no luck. What I have read differs from what > I see on my server. From the man page examples section: > > V4: / -sec=krb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255.0 > > Now, here is what I have put as an experiment to try to understand > what's happening here (my /etc/exports): > > V4: / -sec=krb5 -network 192.168.1 -mask 255.255.255.0 > / > > In this case, -sec=krb5 is totally ignored. I can mount / using sys. > The "-sec=krb5" restriction applies to state related operations that don't use file handles. The FreeBSD mount doesn't do any of those, so it is the options on the second line "/" that control whether or not the mount succeeds. With the above exports, the first Open of a file should fail when attempted via auth_sys, at least for the FreeBSD client. (The FreeBSD client doesn't try and establish state via SetClientID until the first Open. Some other clients do so at mount time.) I know this is ugly, but I thought it would be confusing to have the semantics of the other export lines (like "/") different for NFSv4 than NFSv2,3. For NFSv2,3 all RPCs involve a file handle, so they can be associated with a server volume. For NFSv4, this is not the case, since some state related operations (SetClientID/SetClientIDConfirm/Renew and maybe a couple of others) do not use a file handle and, as such, can't be associated with an exported volume. I put the options in the "V4:" for those, since I couldn't think of where else to put them. > If I use this: > > V4: / > / -sec=krb5 > > It requires proper kerberos authentication. > Yep, as explained above. If you really want to restrict NFSv4 use to kerberos, then you should put the "-sec=krb5" on the V4: line and all lines exporting volumes. For example: V4: / -sec=krb5 / -sec=krb5 > My next question is can I reject NFSv3/v2 clients/connections? > sysctl vfs.nfsd.server_min_nfsvers=4 > Third question is: how can I disable rpcbind? It seems that the > following does not work in rc.conf: > rpcbind_enable="NO" > When I'm running NFSv4 rpcbind is not needed, but it seems that mountd > always starts rpcbind no matter what I do: > /etc/rc.d/rpcbind stop > is the only way to do it, and that is only after boot, or mountd > starting. > _ Yea, I suppose there should be a -nfsv4-only option on mountd, so it knows that it only needs to do exports and doesn't need rpcbind. Since you are probably the first person wanting an NFSv4 only server, I hadn't thought to do this. I'll put it on my "to do" list. Thanks for the comments, rick > ______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?310519099.96451.1335704999990.JavaMail.root>