I see that some of my questions were formed not good enough:
>
> > 2) What forces the client computer to use stronger security rather than
> > AUTH_UNIX over RPC. I have the total control of what's going on the
server,
> > but plan no changes in configuration of clients.
>
> The client has to be able to support RPCSEC_GSS and a GSS mechanism in
> common with the server. The server forces the use of RPCSEC_GSS -- I
> think -- look at the MOUNT protocol -- either that or the client must
> know ahead of time that RPCSEC_GSS is needed for a particular NFS
> share. I forget this detail...
OK, I have the details in RFC. You are right regarding to NFS v3, although I
don't know how to deal with NFS v2
>
> > 3) How can I support both AUTH_UNIX and Kerberos over AUTH_RPCGSS in the
> > single installation. The question is not about security leaks but rather
> > about user identification: in case of AUTH_UNIX I get user ID/group ID
with
> > RPC message. In case of Kerberos - I get ticket. How should I support
the
> > single namespace of users for these 2 methods.
>
> You can't use AUTH_UNIX as a flavor of RPCSEC_GSS.
I meaned AUTH_UNIX not over RPCSEC_GSS, but rather 2 independent flavors,
returned by MOUNT protocol
Thanks
Vladimir
