From owner-freebsd-fs@FreeBSD.ORG Sun Apr 29 13:10:01 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 044BB106566B for ; Sun, 29 Apr 2012 13:10:01 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id AB52E8FC0C for ; Sun, 29 Apr 2012 13:10:00 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EAFM8nU+DaFvO/2dsb2JhbABEhWitNoIJAQEBAwEBAQEgKyALBRYOCgICDRkCKQEJJgYIBwQBHASHZwULpi2SDIEviV2EfoEYBJNPgi+BEY8xgwSBQA X-IronPort-AV: E=Sophos;i="4.75,501,1330923600"; d="scan'208";a="167117240" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 29 Apr 2012 09:10:00 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 0B522B40E7; Sun, 29 Apr 2012 09:10:00 -0400 (EDT) Date: Sun, 29 Apr 2012 09:09:59 -0400 (EDT) From: Rick Macklem To: Robert Simmons Message-ID: <310519099.96451.1335704999990.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 Questions X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2012 13:10:01 -0000 Robert Simmons wrote: > I've been digging and digging to find sources to clarify the > exports(5) man page with no luck. What I have read differs from what > I see on my server. From the man page examples section: > > V4: / -sec=krb5:krb5i:krb5p -network 131.104.48 -mask 255.255.255.0 > > Now, here is what I have put as an experiment to try to understand > what's happening here (my /etc/exports): > > V4: / -sec=krb5 -network 192.168.1 -mask 255.255.255.0 > / > > In this case, -sec=krb5 is totally ignored. I can mount / using sys. > The "-sec=krb5" restriction applies to state related operations that don't use file handles. The FreeBSD mount doesn't do any of those, so it is the options on the second line "/" that control whether or not the mount succeeds. With the above exports, the first Open of a file should fail when attempted via auth_sys, at least for the FreeBSD client. (The FreeBSD client doesn't try and establish state via SetClientID until the first Open. Some other clients do so at mount time.) I know this is ugly, but I thought it would be confusing to have the semantics of the other export lines (like "/") different for NFSv4 than NFSv2,3. For NFSv2,3 all RPCs involve a file handle, so they can be associated with a server volume. For NFSv4, this is not the case, since some state related operations (SetClientID/SetClientIDConfirm/Renew and maybe a couple of others) do not use a file handle and, as such, can't be associated with an exported volume. I put the options in the "V4:" for those, since I couldn't think of where else to put them. > If I use this: > > V4: / > / -sec=krb5 > > It requires proper kerberos authentication. > Yep, as explained above. If you really want to restrict NFSv4 use to kerberos, then you should put the "-sec=krb5" on the V4: line and all lines exporting volumes. For example: V4: / -sec=krb5 / -sec=krb5 > My next question is can I reject NFSv3/v2 clients/connections? > sysctl vfs.nfsd.server_min_nfsvers=4 > Third question is: how can I disable rpcbind? It seems that the > following does not work in rc.conf: > rpcbind_enable="NO" > When I'm running NFSv4 rpcbind is not needed, but it seems that mountd > always starts rpcbind no matter what I do: > /etc/rc.d/rpcbind stop > is the only way to do it, and that is only after boot, or mountd > starting. > _ Yea, I suppose there should be a -nfsv4-only option on mountd, so it knows that it only needs to do exports and doesn't need rpcbind. Since you are probably the first person wanting an NFSv4 only server, I hadn't thought to do this. I'll put it on my "to do" list. Thanks for the comments, rick > ______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"